Assessing your storage and backup for regulatory compliance

Computer Technology Review, May, 2004 by Ken Barth

Compliance is one of the most talked about issues in data management in recent years. As deadlines for federally mandated programs loom near, the issue is becoming more and more important. Yet, despite all of the discussion and buzz, few organizations have actually implemented a compliance plan as part of their business operations. Perhaps the greatest stumbling block to devising and rolling out compliance plans is a widespread and high degree of confusion as to what the various regulations and legislation require and the actions and activities that organizations must take in order to be in compliance with those regulations.

The challenges facing IT managers seem never ending in the consistently and rapidly changing world of technology. The issue of regulatory compliance adds another murky, albeit important area of concern. The term "compliance" is an umbrella term that has come to cover the recent spate of federal and state regulatory legislation dictating how organizations must retain and preserve their vast stores of data. The impact of such legislation is bound to be widespread, affecting most of corporate America. Furthermore, the confusion over compliance initiatives, their cost, and their potential impact stems from the lack of clearly defined guidelines. In fact, the very term itself continues to grow and expand in what it encompasses.

As it stands, regulatory compliance legislation directly affects private and public companies, particularly those in regulated industries such as government, finance, and health care. In addition, many organizations have come to realize the importance of data as an asset for business operations and continuity. The result is IT departments facing new and developing compliance requirements for security and data retention set by their own organizations.

Central to the whole issue of regulatory compliance are three questions:

* What data types are subject to archiving?

* How long does that data need to be stored and accessible?

* What do organizations need to do in order to be compliant?

While there are numerous pieces of legislation that deal with data retention, including the Health Insurance Portability and Accountability Act (HIPAA) of 1996, The Gramm-Leach-Bliley Act (GLB) also known as the Financial Modernization Act of 1999, and the Uniform Electronic Transactions Act (UETA) of 1999, probably the most talked about and anxiety-producing is the Sarbanes-Oxley Act of 2002. Sarbanes-Oxley was signed into law by the current President Bush following such high-profile corporate scandals as Enron, Tyco, and WorldCom as an attempt to correct problems in the way organizations had been reporting their financial information. Sarbanes-Oxley states what records an organization must archive and for how long those records must be stored (all business records must be saved, including electronic messages, for at least five years and possibly longer). It does not offer a set of business practices or guidelines on how organizations are to store records, leaving IT managers to create archiving programs and procedures that both fulfill the requirements of Sarbanes-Oxley and fit within their budgets. Failure to meet the mandated Fall 2004 deadline for compliance carries severe penalties.

Costs can be considerable when implementing a compliance program. Software for records retention as well as storage media must be purchased. Designing a plan, establishing policies, implementing the plan and managing it require man-hours. Many larger companies have had to hire staff dedicated to the task. These costs can lead to a daunting expenditure for the small to medium business. What's more, the entire process involves a certain degree of frustration due to the vague guidelines of the Sarbanes-Oxley Act and because many organizations don't perceive themselves at risk of a federal investigation. The task of implementing a compliance initiative is further complicated by the fact that no one vendor has the end-all solution. A viable solution will need partnering, integration and cooperation between vendors.

The answer many organizations are coming to in response to the need for a compliance-oriented solution is to create a centralized enterprise records management (ERM) system where multiple data types can be stored safely and securely. However, launching into such a solution without careful, advance planning is a complicated and costly venture. Deploying a solution without first understanding the data only complicates things further and wastes resources. With these issues in mind, organizations looking to address matters of regulatory compliance need to step back and assess their needs and requirements before jumping into quick purchasing decisions.

In order to make intelligent decisions about data retention and archiving, you need visibility into your storage and backup environment. The first best step in establishing a compliance-oriented ERM program is a careful examination of your storage and backup infrastructure. A thorough assessment of the storage environment and the data itself facilitates establishing criteria for a retention and compliance program before spending resources, adding more complexity to your network management. Understanding what needs to be archived begins with understanding what data an organization currently has, who owns the data, where it resides, when it was last accessed, what level of archiving versus availability the business application requires, as well as the procedures in place to backup that data. Fortunately, storage resource reporting and monitoring tools are available for a quick and easy examination of backup and storage offering visibility and assurance into an organization's data stores. Furthermore, this can be the first step in information lifecycle management (ILM) programs.