Assessing your storage and backup for regulatory compliance.Compliance is one of the most talked about issues in data management in recent years. As deadlines for federally mandated programs loom near, the issue is becoming more and more important. Yet, despite all of the discussion and buzz, few organizations have actually implemented a compliance plan as part of their business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets . Perhaps the greatest stumbling block stum·bling block n. An obstacle or impediment. stumbling block Noun any obstacle that prevents something from taking place or progressing Noun 1. to devising and rolling out compliance plans is a widespread and high degree of confusion as to what the various regulations and legislation require and the actions and activities that organizations must take in order to be in compliance with those regulations. The challenges facing IT managers seem never ending in the consistently and rapidly changing world of technology. The issue of regulatory compliance adds another murky, albeit important area of concern. The term "compliance" is an umbrella term A term used to cover a broad category of functions rather than one specific item. In many cases, a term is so catchy that it tends to be used for technologies that are a stretch from the original concept. See middleware and virtualization. that has come to cover the recent spate of federal and state regulatory legislation dictating how organizations must retain and preserve their vast stores of data. The impact of such legislation is bound to be widespread, affecting most of corporate America. Furthermore, the confusion over compliance initiatives, their cost, and their potential impact stems from the lack of clearly defined guidelines. In fact, the very term itself continues to grow and expand in what it encompasses. As it stands, regulatory compliance legislation directly affects private and public companies, particularly those in regulated industries such as government, finance, and health care. In addition, many organizations have come to realize the importance of data as an asset for business operations and continuity. The result is IT departments facing new and developing compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). for security and data retention set by their own organizations. Central to the whole issue of regulatory compliance are three questions: * What data types are subject to archiving? * How long does that data need to be stored and accessible? * What do organizations need to do in order to be compliant? While there are numerous pieces of legislation that deal with data retention, including the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ) of 1996, The Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition (GLB (Gramm-Leach-Bliley Act) Enacted in 1999 and effective in mid 2001, the GLB stipulates that every financial institution shall protect the security and confidentiality of its customers' confidential personal information. ) also known as the Financial Modernization Act of 1999, and the Uniform Electronic Transactions Act The Uniform Electronic Transactions Act (UETA) is one of the several United States Uniform Acts proposed by the National Conference of Commissioners on Uniform State Laws (NCCUSL). Since then 46 States, the District of Columbia, and the U.S. (UETA UETA Uniform Electronic Transactions Act ) of 1999, probably the most talked about and anxiety-producing is the Sarbanes-Oxley Act See SOX. of 2002. Sarbanes-Oxley was signed into law by the current President Bush following such high-profile corporate scandals A corporate scandal is a scandal involving allegations of unethical behavior by people acting within or on behalf of a corporation. A corporate scandal sometimes involves accounting fraud of some sort. as Enron, Tyco, and WorldCom as an attempt to correct problems in the way organizations had been reporting their financial information. Sarbanes-Oxley states what records an organization must archive and for how long those records must be stored (all business records must be saved, including electronic messages, for at least five years and possibly longer). It does not offer a set of business practices or guidelines on how organizations are to store records, leaving IT managers to create archiving programs See archive program. and procedures that both fulfill the requirements of Sarbanes-Oxley and fit within their budgets. Failure to meet the mandated Fall 2004 deadline for compliance carries severe penalties. Costs can be considerable when implementing a compliance program. Software for records retention as well as storage media must be purchased. Designing a plan, establishing policies, implementing the plan and managing it require man-hours. Many larger companies have had to hire staff dedicated to the task. These costs can lead to a daunting daunt tr.v. daunt·ed, daunt·ing, daunts To abate the courage of; discourage. See Synonyms at dismay. [Middle English daunten, from Old French danter, from Latin expenditure for the small to medium business. What's more, the entire process involves a certain degree of frustration due to the vague guidelines of the Sarbanes-Oxley Act and because many organizations don't perceive themselves at risk of a federal investigation. The task of implementing a compliance initiative is further complicated by the fact that no one vendor has the end-all solution. A viable solution will need partnering, integration and cooperation between vendors. The answer many organizations are coming to in response to the need for a compliance-oriented solution is to create a centralized cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. enterprise records management (ERM (Enterprise Relationship Management) An umbrella term with many shades of meaning over the years. It may refer to the management of information from any or all of an organization's customers, suppliers, business partners and employees. ) system where multiple data types can be stored safely and securely. However, launching into such a solution without careful, advance planning is a complicated and costly venture. Deploying a solution without first understanding the data only complicates things further and wastes resources. With these issues in mind, organizations looking to address matters of regulatory compliance need to step back and assess their needs and requirements before jumping into quick purchasing decisions. In order to make intelligent decisions about data retention and archiving, you need visibility into your storage and backup environment. The first best step in establishing a compliance-oriented ERM program is a careful examination of your storage and backup infrastructure. A thorough assessment of the storage environment and the data itself facilitates establishing criteria for a retention and compliance program before spending resources, adding more complexity to your network management. Understanding what needs to be archived begins with understanding what data an organization currently has, who owns the data, where it resides, when it was last accessed, what level of archiving versus availability the business application requires, as well as the procedures in place to backup that data. Fortunately, storage resource reporting and monitoring tools are available for a quick and easy examination of backup and storage offering visibility and assurance into an organization's data stores. Furthermore, this can be the first step in information lifecycle management Information Lifecycle Management refers to a wide-ranging set of strategies for administering storage systems on computing devices. Specifically, four categories of storage strategies may be considered under the auspices of ILM. (ILM) programs. Before tackling data migration for archiving and compliance, organizations need to know what data they have, where it's stored and if it's being successfully backed up. Data types vary from e-mail, graphics, databases, etc., and data may serve multiple related applications. Moreover, data is used for varying purposes and exists under varying degrees of confidentiality and security. For example, personnel and financial records may be stored in ways very different from corporate newsletters and product manuals. Companies also need to be aware that there may be large amounts of personal data stored on servers, and some of that data may be prohibited (such as unauthorized software, MP3 files, or personal photographs--things that wouldn't logically be subject to backup or archiving for regulatory compliance). Compliance with data retention regulations and policy-based management See policy management. programs such as information lifecycle management can make valuable use of storage and backup monitoring and reporting tools. In order to gain the needed visibility into your environment, perform an assessment of your storage and backup using one of the available software suites that can monitor and report on diverse and distributed environments. An assessment is the first step in establishing and clarifying effective polices and procedures for managing data, and classifying information and applications according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. their value to the business and according to requirements for retention. Performing a proactive assessment of data stores and backup procedures is essential to considering any acquisition of resources for regulatory compliance, whether they be software, hardware, or staff. Armed with a full understanding of the amount and type of data, where it's stored, and if and how it's being backed up, it is possible to make a responsible decision instead of making a reactive, premature, and possibly unnecessary expenditure. When evaluating your assessment options, consider toolkits that provide granular visibility into your environment and that offer a full complement of monitoring and reporting. Knowing when a backup is successful and when and why a backup fails, and reports that allow you to compare backups prevents pain and offers assurance that you remain in compliance with relevant regulations. Questions to ask include: What's being stored on the network and what's being backed up? Are backups slow because obsolete or unchanged data is being repeatedly backed up? Are backups successful and complete? What's the availability of data during backup and after archiving? An evaluation of the data in relation to usefulness and accessibility is only the first step in assessing your environment. Your assessment must also examine the repositories where data is stored and where it's backed up. You will need a tool that can take a granular view of all of your storage resources including DAS, NAS (1) See network access server. (2) (Network Attached Storage) A specialized file server that connects to the network. A NAS device contains a slimmed-down operating system and a file system and processes only I/O requests by supporting the popular , and SAN as well as file and application servers such as Exchange and desktop and notebook work stations that may contain vital information subject to the rules prescribed by regulatory legislation. Once the policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental are in place for your compliance program, you need to be assured that your backups continue to be successful and complete. Failed backups mean your data is insecure, you won't be able to make a successful recovery in the event of a disaster, and you certainly won't be in compliance. The complicated nature of data management makes backups a crucial issue in IT. Users in general are concerned about their protection from data loss and being out of compliance, often citing that current backup methods leave crucial data at risk. Businesses need to be assured their backups are successful and that they're backing up what really needs to be backed up. Depending on the size and nature of the organization, some decisions about backup and recovery may not be flexible. Regulations such as Sarbanes-Oxley have been imposed precisely to ensure that enterprises are conducting business properly. Your tools should be able to monitor and report on backup devices See backup storage. and processes, monitor tape backups Using magnetic tape for storing duplicate copies of hard disk files. Users can add an internal or external tape drive to their desktop computers for backup purposes, and files are typically copied to the tapes using a backup utility that updates on a periodic schedule. and report on successes, failures, backup sizes and many other relevant data on backup configuration and performance. Storage and backup resource reporting and monitoring utilities function well as part of an ILM or ERM program and facilitate efforts at regulatory compliance initiatives. Understanding and evaluating the importance and age of data and how often it needs to be accessed versus requirements for storage and compliance aids in making smart decisions about what data is eligible or required to be archived and what can be deleted, thus streamlining network management and compliance procedures as well as easing the burden on storage resources. Features to look for in a monitoring and reporting tool as part of a compliance initiative include real-time monitoring for always-on management; off-the-shelf reports that require little time to process or can be easily customized via a wizard; a browser-based/web-accessible view; and the ability to save information over time for forecasting and trending. Storage and backup resource monitoring and reporting utility is an indispensable part of a cost-effective compliance program. Available tools can quickly provide a thorough and detailed assessment and analysis of an existing data storage and backup infrastructure, even for distributed and heterogeneous environments Using hardware and system software from different vendors. Organizations often use computers, operating systems and databases from a variety of vendors. Contrast with homogeneous environment. . Such tools identify what data is stored and where, for proper archiving and compliance initiatives, with the added benefits of identifying shortcomings A shortcoming is a character flaw. Shortcomings may also be:
Ken Barth is president and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Tek-Tools, Inc. (Dallas, TX) www.tek-tools.com |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion