Printer Friendly

The case for compliance profiling.

Enterprise Storage Group (ESG) estimates that customers will spend upwards of $6B on storage hardware, software, and services to enable compliance with a myriad of regulations. HIPAA, SEC 17a-3 & 4, and Sarbanes-Oxley, amongst others, have changed the way IT and business stakeholders manage information. Regulators, legislators, the courts and regulatory enforcement all continue to emphasize the importance ofa complete, tamper-proof archive. It is no longer an acceptable approach to rely on employees to maintain the archive. Although compliance and records management is not new to regulated business, it is only recently that compliance has become a critical element in IT infrastructure planning. Currently, the impact is still being determined. In the longer term, it will change the nature of how IT infrastructure, particularly storage, will be implemented.

The Current Impact of Compliance on IT Infrastructure

The current impact of compliance on IT infrastructure is chaotic. As industries emerge from capital spending lock-downs and begin planning and implementing the next round of IT development, new regulatory standards for electronic records management and daunting increases in the volume of data to be retained in an accessible manner are dictating different strategies for storage.

New Regulatory Standards for Electronic Records Management

In the wake of disturbing excesses on the part of some businesses and their executives, lawmakers and regulators are implementing a new round of more aggressive laws, increased regulation and stepped up enforcement. More aggressive laws, such as Sarbanes-Oxley, establish new levels of personal liability for IT managers and personnel. Record integrity requirements have added a new dimension to storage planning that was primarily backup and recovery oriented. New integrity standards include such elements as:

* Written records management and retention policies

* Proof of consistent adherence to those policies

* Ability to prove that the archives are complete and not selective

* Ability to prove that the entries in the archives could only have been created at the point in time indicated

* Ability to prove that the archives are tamper-proof

These standards for the integrity of records, particularly electronic records, are also being affirmed in the courts. The climate of tolerance for irresponsible records management, whether intentional or inadvertent, has come to an end. Previously common practices of not retaining records as a means of dealing with the risk of data content have become points of both enterprise and personal risk. Numerous cases in the courts have created a body of legal precedence that penalize both companies and their management.

Regulatory Requirements

Every business has records management regulatory requirements. From the smallest professional company with only a few employees to large global enterprises operating in multiple regulatory jurisdictions, all companies have regulatory requirements. The migration of the majority of information, from physical to electronic form with specific regulatory standards, is shifting the burden of managing this data. Record retention and management has now become an IT problem.


"Regulatory compliance should not be viewed as a corporate tax that IT must burden," commented Peter Gerr, an analyst with ESG. "There are unique opportunities for businesses to classify their information assets and protect them accordingly all the while enabling the compliance process. To that end, the first step customers need help with is understanding the risk associated with their current technology and procedures. Risk assessments, from backup infrastructure to record retention policies, must be conducted prior to any technology purchases or process change." The Regulatory Requirements aspect of Compliance Profiling is to use the regulations to develop an IT infrastructure profile that can respond to a wide variety of regulatory requirements.

IT Functionality

The Regulatory Requirements of Compliance Profiling defines the requirements specifications needed to be able to address the spectrum of regulations confronted by a company. The IT Functionality describes the features and functions the IT infrastructure must have in order to be able to support applications that address specific regulatory requirements.

Compliance Profiling

IT planners, strategists and managers are confronted with the demand for new regulatory compliance capabilities just at the time when new infrastructure is being planned and rolled out. These new regulatory requirements tend to delay decisions and implementation of critical infrastructure. Compliance Profiling provides IT management with a comprehensive plan for addressing current and future compliance requirements in an integrated and cohesive manner without extensive regulatory analysis. Compliance Profiling creates a reference document for IT planners to use so that the infrastructure can better absorb regulatory requirements without major redesign or the development of costly and hard to support "point" solutions.

The value of Compliance Profiling is that it enables IT to keep to planning and implementation timetables while still being able to respond to specific regulatory requirements as they arise. The additional value of reducing the cost of satisfying specific regulatory requirements is an added bonus.


Compliance Profiling is accomplished by addressing the relationship between regulatory requirements and IT infrastructure platforms from several different perspectives. These include:

* Regulatory Requirements

* IT Functionality

* Central Information Store Strategy

* Information Lifecycle Management

* Media Storage Life

* Scalability

* Litigation Support

* User and Regulatory Access

Information Lifecycle Management

A key part of a responsive regulatory IT infrastructure deals with Information Lifecycle Management. At different points in the life of information, the urgency of retrieval and the universality of access changes and affords opportunities to move data to more cost-effective means of storage. This helps maximize the operational and regulatory value of the most costly infrastructure while not compromising the integrity of the regulatory archive.

Media Storage Life

Media Storage Life becomes more critical as records retention requirements extend the horizon dates of information. Some regulations require retention of records for more than 30 years. We have already seen instances where some types of storage media will fail long before those dates. Part of the Compliance Profile is the development of a data retention strategy that ensures the availability of data for its entire retention life.


Longer retention periods, greater proliferation of data, and the growing size of records all combine to drive rampant growth in storage and, as a result, in storage infrastructure. The ability to absorb this growth is critical to ongoing viability of a compliant IT infrastructure.


Litigation Support

In addition to regulatory requirements, the archive should be an effective litigation support tool. The characteristics of a credible regulatory archive are very similar to the requirements for a responsive and cost-effective litigation support system. Litigation Support has unique record segregation and retention requirements that should be addressed in every enterprise IT plan.

User and Regulatory Access

Another important element in completing a Compliance Profile is to understand what access users and regulators require. User requirements will tend to focus on more recent data while regulatory interests may focus on older data. Some regulations specify how fast and in what manner regulators must be able to access information. An effective compliant design will accommodate both types of requirements.

The Long-Term Impact

The long-term impact will focus on managing the cost of records storage while creating an infrastructure that can be responsive to specific current and future regulatory requirements. The idea is to create a "Compliance Ready Infrastructure". By taking this approach, infrastructure planning and development can commence without the need for a detailed analysis of the compliance requirements. The detailed analysis will need to be done in conjunction with the implementation of each of the compliance platforms. Part of that detailed analysis will determine how to use the existing infrastructure to its best advantage.

Compliance Profiling

Compliance Profiling puts control of IT planning back in the hands of IT strategists without giving up the ability to cost effectively address both current and future regulatory compliance requirements. It is not exclusively a regulatory review but requires a convergence of both regulatory expertise and a broad knowledge of available infrastructure solutions support from an organization that embodies both. According to Gerr, "Service organizations undoubtedly play a significant role when customers initially address compliance from a technology perspective. They are the rangers who help identify high-risk areas in process and procedures and can ultimately point customers to the appropriate solution."
Regulatory Compliance Summary

Regulations Over 15,000 regulations in U.S. alone for federal, state &
 local laws (e.g. Sarbanes-Oxley, HIPAA, SEC 17.a-4)
 Significant penalties for non-compliance

Compliance & Blend of process, people & technology to effectively
 Corporate manage and maintain your records
 Governance First, determine your specific compliance requirements,
 process changes needed & use of technology

 Impact on Must be maintained for long periods of time
Information Must be readily accessible, even across future
 Management technologies
 Must be retained securely and in original format /

 Enabling Networked storage infrastructure, consolidation of control
Technologies WORM-like (Write Once Read Many) media options
 Policy-based message management software for archival

(Images courtesy of Enterprise Storage Group)

Thomas Bookwalter is vice president of Compliance Solutions for SANZ Inc. (Castle Rock, CO)
COPYRIGHT 2004 West World Productions, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2004, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Regulatory Compliance
Author:Bookwalter, Thomas
Publication:Computer Technology Review
Geographic Code:1USA
Date:May 1, 2004
Previous Article:Information lifecycle management: the next wave.
Next Article:New ILM solutions for regulatory compliance: case study on how a customer achieves both financial and operational efficiencies.

Related Articles
Which came first - the carrot or the stick?
Higher Profile.
Land use compliance fails by design.
Agency Engaged in National Security Awards $5.2 Million Contract To Convera.
Ensuring compliance through ECM.
The state of e-mail compliance: a technology perspective.
Call Compliance adds call monitoring to its online Regulatory Guide.
The appliance of compliance.
Navigating the compliance landscape: compliance issues are changing the RIM industry. RIM professionals must adjust their mindsets to understand the...

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters