The case for compliance profiling.Enterprise Storage Group (ESG ESG Enterprise Strategy Group (Veritas) ESG Emergency Shelter Grant (Florida, USA) ESG Expeditionary Strike Group ESG Electronic Service Guide (used in DVB) ) estimates that customers will spend upwards of $6B on storage hardware, software, and services to enable compliance with a myriad Myriad is a classical Greek name for the number 104 = 10 000. In modern English the word refers to an unspecified large quantity. The term myriad is a progression in the commonly used system of describing numbers using tens and hundreds. of regulations. HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, , SEC 17a-3 & 4, and Sarbanes-Oxley, amongst others, have changed the way IT and business stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. manage information. Regulators, legislators, the courts and regulatory enforcement all continue to emphasize the importance ofa complete, tamper-proof archive. It is no longer an acceptable approach to rely on employees to maintain the archive. Although compliance and records management is not new to regulated business, it is only recently that compliance has become a critical element in IT infrastructure planning. Currently, the impact is still being determined. In the longer term, it will change the nature of how IT infrastructure, particularly storage, will be implemented. The Current Impact of Compliance on IT Infrastructure The current impact of compliance on IT infrastructure is chaotic. As industries emerge from capital spending capital spending Spending for long-term assets such as factories, equipment, machinery, and buildings that permits the production of more goods and services in future years. lock-downs and begin planning and implementing the next round of IT development, new regulatory standards for electronic records management and daunting daunt tr.v. daunt·ed, daunt·ing, daunts To abate the courage of; discourage. See Synonyms at dismay. [Middle English daunten, from Old French danter, from Latin increases in the volume of data to be retained in an accessible manner are dictating different strategies for storage. New Regulatory Standards for Electronic Records Management In the wake of disturbing excesses on the part of some businesses and their executives, lawmakers and regulators are implementing a new round of more aggressive laws, increased regulation and stepped up enforcement. More aggressive laws, such as Sarbanes-Oxley, establish new levels of personal liability for IT managers and personnel. Record integrity requirements have added a new dimension to storage planning that was primarily backup and recovery oriented o·ri·ent n. 1. Orient The countries of Asia, especially of eastern Asia. 2. a. The luster characteristic of a pearl of high quality. b. A pearl having exceptional luster. 3. . New integrity standards include such elements as: * Written records management and retention policies * Proof of consistent adherence adherence /ad·her·ence/ (ad-her´ens) the act or condition of sticking to something. immune adherence to those policies * Ability to prove that the archives are complete and not selective * Ability to prove that the entries in the archives could only have been created at the point in time indicated * Ability to prove that the archives are tamper-proof These standards for the integrity of records, particularly electronic records, are also being affirmed af·firm v. af·firmed, af·firm·ing, af·firms v.tr. 1. To declare positively or firmly; maintain to be true. 2. To support or uphold the validity of; confirm. v.intr. in the courts. The climate of tolerance for irresponsible ir·re·spon·si·ble adj. 1. Marked by a lack of responsibility: irresponsible accusations. 2. Lacking a sense of responsibility; unreliable or untrustworthy. 3. records management, whether intentional in·ten·tion·al adj. 1. Done deliberately; intended: an intentional slight. See Synonyms at voluntary. 2. Having to do with intention. or inadvertent, has come to an end. Previously common practices of not retaining records as a means of dealing with the risk of data content have become points of both enterprise and personal risk. Numerous cases in the courts have created a body of legal precedence The order in which an expression is processed. Mathematical precedence is normally: 1. unary + and - signs 2. exponentiation 3. multiplication and division 4. that penalize pe·nal·ize tr.v. pe·nal·ized, pe·nal·iz·ing, pe·nal·iz·es 1. To subject to a penalty, especially for infringement of a law or official regulation. See Synonyms at punish. 2. both companies and their management. Regulatory Requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. Every business has records management regulatory requirements. From the smallest professional company with only a few employees to large global enterprises operating in multiple regulatory jurisdictions, all companies have regulatory requirements. The migration of the majority of information, from physical to electronic form with specific regulatory standards, is shifting the burden of managing this data. Record retention and management has now become an IT problem. [GRAPHIC OMITTED] "Regulatory compliance should not be viewed as a corporate tax that IT must burden," commented Peter Gerr, an analyst with ESG. "There are unique opportunities for businesses to classify clas·si·fy tr.v. clas·si·fied, clas·si·fy·ing, clas·si·fies 1. To arrange or organize according to class or category. 2. To designate (a document, for example) as confidential, secret, or top secret. their information assets and protect them accordingly all the while enabling the compliance process. To that end, the first step customers need help with is understanding the risk associated with their current technology and procedures. Risk assessments, from backup infrastructure to record retention policies, must be conducted prior to any technology purchases or process change." The Regulatory Requirements aspect of Compliance Profiling is to use the regulations to develop an IT infrastructure profile that can respond to a wide variety of regulatory requirements. IT Functionality The Regulatory Requirements of Compliance Profiling defines the requirements specifications needed to be able to address the spectrum of regulations confronted by a company. The IT Functionality describes the features and functions the IT infrastructure must have in order to be able to support applications that address specific regulatory requirements. Compliance Profiling IT planners, strategists and managers are confronted with the demand for new regulatory compliance capabilities just at the time when new infrastructure is being planned and rolled out. These new regulatory requirements tend to delay decisions and implementation of critical infrastructure. Compliance Profiling provides IT management with a comprehensive plan for addressing current and future compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). in an integrated and cohesive cohesive, n the capability to cohere or stick together to form a mass. manner without extensive regulatory analysis. Compliance Profiling creates a reference document for IT planners to use so that the infrastructure can better absorb regulatory requirements without major redesign re·de·sign tr.v. re·de·signed, re·de·sign·ing, re·de·signs To make a revision in the appearance or function of. re or the development of costly and hard to support "point" solutions. The value of Compliance Profiling is that it enables IT to keep to planning and implementation timetables while still being able to respond to specific regulatory requirements as they arise. The additional value of reducing the cost of satisfying specific regulatory requirements is an added bonus. [GRAPHIC OMITTED] Compliance Profiling is accomplished by addressing the relationship between regulatory requirements and IT infrastructure platforms from several different perspectives. These include: * Regulatory Requirements * IT Functionality * Central Information Store Strategy * Information Lifecycle Management Information Lifecycle Management refers to a wide-ranging set of strategies for administering storage systems on computing devices. Specifically, four categories of storage strategies may be considered under the auspices of ILM. * Media Storage Life * Scalability * Litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. Support * User and Regulatory Access Information Lifecycle Management A key part of a responsive regulatory IT infrastructure deals with Information Lifecycle Management. At different points in the life of information, the urgency of retrieval and the universality of access changes and affords opportunities to move data to more cost-effective means of storage. This helps maximize the operational and regulatory value of the most costly infrastructure while not compromising the integrity of the regulatory archive. Media Storage Life Media Storage Life becomes more critical as records retention requirements extend the horizon dates of information. Some regulations require retention of records for more than 30 years. We have already seen instances where some types of storage media will fail long before those dates. Part of the Compliance Profile is the development of a data retention strategy that ensures the availability of data for its entire retention life. Scalability Longer retention periods, greater proliferation proliferation /pro·lif·er·a·tion/ (pro-lif?er-a´shun) the reproduction or multiplication of similar forms, especially of cells.prolif´erativeprolif´erous pro·lif·er·a·tion n. of data, and the growing size of records all combine to drive rampant growth in storage and, as a result, in storage infrastructure. The ability to absorb this growth is critical to ongoing viability of a compliant IT infrastructure. [ILLUSTRATION OMITTED] Litigation Support In addition to regulatory requirements, the archive should be an effective litigation support tool. The characteristics of a credible regulatory archive are very similar to the requirements for a responsive and cost-effective litigation support system. Litigation Support has unique record segregation segregation: see apartheid; integration. and retention requirements that should be addressed in every enterprise IT plan. User and Regulatory Access Another important element in completing a Compliance Profile is to understand what access users and regulators require. User requirements will tend to focus on more recent data while regulatory interests may focus on older data. Some regulations specify how fast and in what manner regulators must be able to access information. An effective compliant design will accommodate both types of requirements. The Long-Term Impact The long-term impact will focus on managing the cost of records storage while creating an infrastructure that can be responsive to specific current and future regulatory requirements. The idea is to create a "Compliance Ready Infrastructure". By taking this approach, infrastructure planning and development can commence without the need for a detailed analysis of the compliance requirements. The detailed analysis will need to be done in conjunction with the implementation of each of the compliance platforms. Part of that detailed analysis will determine how to use the existing infrastructure to its best advantage. Compliance Profiling Compliance Profiling puts control of IT planning back in the hands of IT strategists without giving up the ability to cost effectively address both current and future regulatory compliance requirements. It is not exclusively a regulatory review but requires a convergence of both regulatory expertise and a broad knowledge of available infrastructure solutions support from an organization that embodies both. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Gerr, "Service organizations undoubtedly play a significant role when customers initially address compliance from a technology perspective. They are the rangers Rapidly deployable airborne light infantry organized and trained to conduct highly complex joint direct action operations in coordination with or in support of other special operations units of all Services. who help identify high-risk areas in process and procedures and can ultimately point customers to the appropriate solution."
Regulatory Compliance Summary
Regulations Over 15,000 regulations in U.S. alone for federal, state &
local laws (e.g. Sarbanes-Oxley, HIPAA, SEC 17.a-4)
Significant penalties for non-compliance
Compliance & Blend of process, people & technology to effectively
Corporate manage and maintain your records
Governance First, determine your specific compliance requirements,
process changes needed & use of technology
Impact on Must be maintained for long periods of time
Information Must be readily accessible, even across future
Management technologies
Must be retained securely and in original format /
unalterable
Enabling Networked storage infrastructure, consolidation of control
Technologies WORM-like (Write Once Read Many) media options
Policy-based message management software for archival
(Images courtesy of Enterprise Storage Group)
Thomas Bookwalter is vice president of Compliance Solutions for SANZ SANZ Standards Association of New Zealand SANZ South Africans in New Zealand (charitable trust) Inc. (Castle Rock, CO) www.sanz.com |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion