Assessing your storage and backup for regulatory compliance.
The challenges facing IT managers seem never ending in the consistently and rapidly changing world of technology. The issue of regulatory compliance adds another murky, albeit important area of concern. The term "compliance" is an umbrella term that has come to cover the recent spate of federal and state regulatory legislation dictating how organizations must retain and preserve their vast stores of data. The impact of such legislation is bound to be widespread, affecting most of corporate America. Furthermore, the confusion over compliance initiatives, their cost, and their potential impact stems from the lack of clearly defined guidelines. In fact, the very term itself continues to grow and expand in what it encompasses.
As it stands, regulatory compliance legislation directly affects private and public companies, particularly those in regulated industries such as government, finance, and health care. In addition, many organizations have come to realize the importance of data as an asset for business operations and continuity. The result is IT departments facing new and developing compliance requirements for security and data retention set by their own organizations.
Central to the whole issue of regulatory compliance are three questions:
* What data types are subject to archiving?
* How long does that data need to be stored and accessible?
* What do organizations need to do in order to be compliant?
While there are numerous pieces of legislation that deal with data retention, including the Health Insurance Portability and Accountability Act (HIPAA) of 1996, The Gramm-Leach-Bliley Act (GLB) also known as the Financial Modernization Act of 1999, and the Uniform Electronic Transactions Act (UETA) of 1999, probably the most talked about and anxiety-producing is the Sarbanes-Oxley Act of 2002. Sarbanes-Oxley was signed into law by the current President Bush following such high-profile corporate scandals as Enron, Tyco, and WorldCom as an attempt to correct problems in the way organizations had been reporting their financial information. Sarbanes-Oxley states what records an organization must archive and for how long those records must be stored (all business records must be saved, including electronic messages, for at least five years and possibly longer). It does not offer a set of business practices or guidelines on how organizations are to store records, leaving IT managers to create archiving programs and procedures that both fulfill the requirements of Sarbanes-Oxley and fit within their budgets. Failure to meet the mandated Fall 2004 deadline for compliance carries severe penalties.
Costs can be considerable when implementing a compliance program. Software for records retention as well as storage media must be purchased. Designing a plan, establishing policies, implementing the plan and managing it require man-hours. Many larger companies have had to hire staff dedicated to the task. These costs can lead to a daunting expenditure for the small to medium business. What's more, the entire process involves a certain degree of frustration due to the vague guidelines of the Sarbanes-Oxley Act and because many organizations don't perceive themselves at risk of a federal investigation. The task of implementing a compliance initiative is further complicated by the fact that no one vendor has the end-all solution. A viable solution will need partnering, integration and cooperation between vendors.
The answer many organizations are coming to in response to the need for a compliance-oriented solution is to create a centralized enterprise records management (ERM) system where multiple data types can be stored safely and securely. However, launching into such a solution without careful, advance planning is a complicated and costly venture. Deploying a solution without first understanding the data only complicates things further and wastes resources. With these issues in mind, organizations looking to address matters of regulatory compliance need to step back and assess their needs and requirements before jumping into quick purchasing decisions.
In order to make intelligent decisions about data retention and archiving, you need visibility into your storage and backup environment. The first best step in establishing a compliance-oriented ERM program is a careful examination of your storage and backup infrastructure. A thorough assessment of the storage environment and the data itself facilitates establishing criteria for a retention and compliance program before spending resources, adding more complexity to your network management. Understanding what needs to be archived begins with understanding what data an organization currently has, who owns the data, where it resides, when it was last accessed, what level of archiving versus availability the business application requires, as well as the procedures in place to backup that data. Fortunately, storage resource reporting and monitoring tools are available for a quick and easy examination of backup and storage offering visibility and assurance into an organization's data stores. Furthermore, this can be the first step in information lifecycle management (ILM) programs.
Before tackling data migration for archiving and compliance, organizations need to know what data they have, where it's stored and if it's being successfully backed up. Data types vary from e-mail, graphics, databases, etc., and data may serve multiple related applications. Moreover, data is used for varying purposes and exists under varying degrees of confidentiality and security. For example, personnel and financial records may be stored in ways very different from corporate newsletters and product manuals. Companies also need to be aware that there may be large amounts of personal data stored on servers, and some of that data may be prohibited (such as unauthorized software, MP3 files, or personal photographs--things that wouldn't logically be subject to backup or archiving for regulatory compliance).
Compliance with data retention regulations and policy-based management programs such as information lifecycle management can make valuable use of storage and backup monitoring and reporting tools. In order to gain the needed visibility into your environment, perform an assessment of your storage and backup using one of the available software suites that can monitor and report on diverse and distributed environments. An assessment is the first step in establishing and clarifying effective polices and procedures for managing data, and classifying information and applications according to their value to the business and according to requirements for retention.
Performing a proactive assessment of data stores and backup procedures is essential to considering any acquisition of resources for regulatory compliance, whether they be software, hardware, or staff. Armed with a full understanding of the amount and type of data, where it's stored, and if and how it's being backed up, it is possible to make a responsible decision instead of making a reactive, premature, and possibly unnecessary expenditure. When evaluating your assessment options, consider toolkits that provide granular visibility into your environment and that offer a full complement of monitoring and reporting.
Knowing when a backup is successful and when and why a backup fails, and reports that allow you to compare backups prevents pain and offers assurance that you remain in compliance with relevant regulations. Questions to ask include: What's being stored on the network and what's being backed up? Are backups slow because obsolete or unchanged data is being repeatedly backed up? Are backups successful and complete? What's the availability of data during backup and after archiving? An evaluation of the data in relation to usefulness and accessibility is only the first step in assessing your environment. Your assessment must also examine the repositories where data is stored and where it's backed up. You will need a tool that can take a granular view of all of your storage resources including DAS, NAS, and SAN as well as file and application servers such as Exchange and desktop and notebook work stations that may contain vital information subject to the rules prescribed by regulatory legislation.
Once the policies and procedures are in place for your compliance program, you need to be assured that your backups continue to be successful and complete. Failed backups mean your data is insecure, you won't be able to make a successful recovery in the event of a disaster, and you certainly won't be in compliance. The complicated nature of data management makes backups a crucial issue in IT. Users in general are concerned about their protection from data loss and being out of compliance, often citing that current backup methods leave crucial data at risk. Businesses need to be assured their backups are successful and that they're backing up what really needs to be backed up. Depending on the size and nature of the organization, some decisions about backup and recovery may not be flexible. Regulations such as Sarbanes-Oxley have been imposed precisely to ensure that enterprises are conducting business properly. Your tools should be able to monitor and report on backup devices and processes, monitor tape backups and report on successes, failures, backup sizes and many other relevant data on backup configuration and performance.
Storage and backup resource reporting and monitoring utilities function well as part of an ILM or ERM program and facilitate efforts at regulatory compliance initiatives. Understanding and evaluating the importance and age of data and how often it needs to be accessed versus requirements for storage and compliance aids in making smart decisions about what data is eligible or required to be archived and what can be deleted, thus streamlining network management and compliance procedures as well as easing the burden on storage resources. Features to look for in a monitoring and reporting tool as part of a compliance initiative include real-time monitoring for always-on management; off-the-shelf reports that require little time to process or can be easily customized via a wizard; a browser-based/web-accessible view; and the ability to save information over time for forecasting and trending.
Storage and backup resource monitoring and reporting utility is an indispensable part of a cost-effective compliance program. Available tools can quickly provide a thorough and detailed assessment and analysis of an existing data storage and backup infrastructure, even for distributed and heterogeneous environments. Such tools identify what data is stored and where, for proper archiving and compliance initiatives, with the added benefits of identifying shortcomings and bottlenecks in the storage installation.
Ken Barth is president and CEO of Tek-Tools, Inc. (Dallas, TX)
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Regulatory Compliance|
|Publication:||Computer Technology Review|
|Date:||May 1, 2004|
|Previous Article:||New ILM solutions for regulatory compliance: case study on how a customer achieves both financial and operational efficiencies.|
|Next Article:||Ensuring compliance through ECM.|