Compliance cuts across industries, storage products.Ever since the large corporate scandals involving Enron, WorldCom, and the like, new government regulations are entering the business world. Many in the mass-storage world see many of these regulations as saviors from the business strains created by cuts in capital spending capital spending Spending for long-term assets such as factories, equipment, machinery, and buildings that permits the production of more goods and services in future years. in enterprise IT. It is true that compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). with new Federal and state regulations will result in more capital spending in storage hardware, software, automation, architectures and services. More records will be retained than ever before, and the impact will touch both structured data like databases and unstructured data Data that does not reside in fixed locations. Free-form text in a word processing document is a typical example. Contrast with structured data. See free-form database. like e-mails and instant messages. Not a Silver Bullet silver bullet - magic bullet Even though the global set of government regulations seem huge, they do not represent a silver bullet to kill the were-wolf of budgetary constraints. Jack Scott at the Evaluator Group points out that only 15% of all data is impacted by all the new regulations. What the integrator needs to do is identify whether his or her clients are part of that 15% who need to come into compliance. Many articles and analyst reports on compliance have focused on unstructured data such as text documents, e-mail messages, medical images and other documents for such things as litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. support. This is reflective of the various laws' focus on both electronic messaging See e-mail and messaging system. and a variety of support documents. The impact on storage is that of a new obligation on the part of the regulated business to add electronic record retention technologies in place of traditional hardcopy stalwarts, such as paper and film In response, government agencies have been formulating new rules to regulate electronic records retention. However, while developing compliance initiatives for unstructured data, companies must not overlook the impact of the new rules on structured data. This would include relational databases, custom software for healthcare records and financial records, and more. What The Laws Look For The various regulations are almost never specific on technology; they are more involved with such things as dates. For example, many of the new regulations require companies to retain records for 2 to 10 years or more, and to retrieve records quickly at a regulator's request. Other regulations require systems to keep secure audit trails of changes and deletions or to prevent changes or modifications to archived data. Audit trails will be nothing new for many corporations, since their own auditors demand such safeguards. These rules show immediate requirements for storage hardware that will meet the government's test of time as well as sophisticated software for indexing, tracking, archiving, backup and retrieval. In point of fact, the demand for reliable storage will increase for a cultural reason as well. Very few end users want to take the time or effort to decide which files to delete, so they save everything. No one gets fired for saving everything, but you take a risk when you decide to press the Delete key  On computer keyboards, the delete key (sometimes shortened "Del"), should, during normal text editing, discard the character at the cursor's .
Financial Services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. The securities trading securities trading, financial activity involving transactions of property such as stocks, bonds, commodities, and currency (see securities). Although the trading of stocks and bonds dates back several centuries in many Western nations, the development of the industry now has some of the most stringent regulatory requirements for record retention and data storage, particularly under SEC Rule 17 for broker-dealer operations. These high-profile requirements have inspired the architectural concept of the "compliance engine." (See the article on this topic in this issue.) SEC rules and interpretations were initially focused on the creation and retention of hardcopy records (paper or microfiche Pronounced "micro-feesh." A 4x6" sheet of film that holds several hundred miniaturized document pages. See micrographics. ). However, hardcopy records and manual processes did not grow the speed and information requirements The information needed to support a business or other activity. Systems analysts turn information requirements (the what and when) into functional specifications (the how) of an information system. of today's global markets and trading operations. High-speed, accurate throughput is a requirement instead of an option. Hence the development of a variety of data processing data processing or information processing, operations (e.g., handling, merging, sorting, and computing) performed upon data in accordance with strictly defined procedures, such as recording and summarizing the financial transactions of a tools, both off-the-shelf and proprietary. [ILLUSTRATION OMITTED] The SEC has responded with informal guidance and official rule changes to recognize and regulate the use of electronic documents and records. Unlike just about every other law for records retention, Rule 17a-4 specifically addresses computer data storage, requiring that the storage technology permanent recording that is "non-erasable and non-rewriteable." This reinforces opportunities for optical technologies, especially WORM, which offers permanence but limited capacities. It also opens up opportunities for "WORM tape" from such companies as Sony, StorageTek, and more. Even hard disk (technologically not a WORM device) may play a role in this effort. The laws have a problem with permanence, not random access. A 2003 interpretation by the SEC cleared WORM-like hard disk for use in this space. The obvious example in this case is EMC (1) (EMC Corporation, Hopkinton, MA, www.emc.com) The leading supplier of storage products for midrange computers and mainframes. Founded in 1979 by Richard J. Egan and Roger Marino, EMC has developed advanced storage and retrieval technologies for the world's largest companies. Centera, or disk-to-disk solutions from Avamar. Additionally, Network Appliance (1) A specialized device for use on a network. For example, Web servers, cache servers and file servers can be implemented as general-purpose computers with the appropriate software or as network appliances, which are computers dedicated to a single function and cannot do anything has what it calls the SnapLock function on its filers, enabling users to support both WORM and write-many functionality in one architecture. The SnapLock software is an add-on feature that can be added to existing Network Appliance NAS (1) See network access server. (2) (Network Attached Storage) A specialized file server that connects to the network. A NAS device contains a slimmed-down operating system and a file system and processes only I/O requests by supporting the popular filers. The SEC guideline directs that the software or firmware elements that make each record unrewriteable must reside inside an integrated storage system (probably the controller), not in an applications server. In addition to its detailed requirements for broker-dealer regulation under Rule 17, the SEC has defined broadly applicable rules under the Sarbanes-Oxley Act See SOX. of 2002 (Public Law 107-204, 116 Stat 745 [2002]) for all companies that are publicly traded in U.S. securities markets. Unlike Rule 17, these rules do not require specific storage capabilities, they impact storage capacity demand. The amount of data that companies retain for internal audit and external reports to stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. and regulators.. SOX, as the law is known, requires a public company's chief executive officer and chief financial officer to certify, in each annual and quarterly report, the adequacy of their internal processes and controls for financial reporting. Originally set for enforcement in June 2004, a recent change was made, targeting November as the trigger date. The signing officers are responsible for establishing and maintaining internal controls to ensure that material information is made known to the officers and must also disclose to auditors all deficiencies in internal controls and any fraud conducted by management or employees who have a significant role in the company's internal controls. Also, any material changes in internal controls must be disclosed. A lack of diligence in these responsibilities will result in the company being accused of making false statements of material facts in financial reports. The penalties are significant. The delay in enforcement was not a merciful gesture. I suggest that the government and regulatory bodies are giving companies "enough rope Enough Rope with Andrew Denton (often shortened to Enough Rope) is a television talk show broadcast on the ABC network in Australia. The title of the show comes from the phrase "Give someone enough rope and they will hang themselves". ." Be on the lookout for in search of; looking for. See also: Lookout a poster child for SOX enforcement. Health Care The Health Insurance Portability & Accountability Act There are a number of piece of legislation known as the Accountability Act:
The compliance requirement prevents unauthorized disclosure or misuse of PHI information and is mandatory to all parties engaged in the health industry. In particular, all members associated with a transaction involving PHI data must demonstrate best practices for the reasonable protection of the data and the infrastructure that supports processing of that data. Failure to comply would have the offender face significant financial, legal and business penalties including criminal prosecution. Best security practices require traditional front-end security methods such as physical access controls, data network transport protection, host defenses, system and applications authorization, and security policy. This layered defense model must extend to backend storage preventing unauthorized access to data-at-rest? But HIPAA impact reaches across key concepts in mass storage and storage management. Storage consolidation, storage pooling on tape media, data stored remotely, data in motion, and stored information leveraging third-party services have access vulnerabilities that affects compliance efforts. PHI controls dictates where and how the data can be stored and used. PHI data protection often has related management, training, data classification and infrastructure costs that can be significant. HIPAA Technical Safeguards Section 164.312 suggests encryption as a means to protect PHI. Encryption can be employed to negate PHI protection costs, but can be prohibitive to implement and maintain. Two security areas promote privacy of data at rest: access control tools and, as mentioned, encryption. Software or appliance products from NeoScale, Vormetrics and Decru come to mind to meet the standard at a manageable cost. Other Relevant Laws There are numerous other relevant laws that impact the use of mass storage in an installation. For example, the Department of Defense has DOD (1) (Dial On Demand) A feature that allows a device to automatically dial a telephone number. For example, an ISDN router with dial on demand will automatically dial up the ISP when it senses IP traffic destined for the Internet. 5015.2; this regulation addresses all agencies within the DoD and certifies which applications or technology solutions an agency may implement to manage records. There are many different types of regulatory compliance issues facing storage administrators and systems integrators today. The pacing concern is that organizations are in need of a cost-effective solution that provides synchronous levels of protection with no distance limitations and with no application degradation. The hard fact is that compliance issues will be added to everyday storage issues in installations of various sizes from the SMB (1) (Small to Medium-sized Business) Also called "SME" (small to medium-sized enterprise), it refers to companies that are larger than the small office/home office (SOHO), but not huge. to the enterprise. And make no mistake, effective management of storage is crucial to meeting compliance issues and day-to-day operations. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion