The case for compliance profiling.
The Current Impact of Compliance on IT Infrastructure
The current impact of compliance on IT infrastructure is chaotic. As industries emerge from capital spending lock-downs and begin planning and implementing the next round of IT development, new regulatory standards for electronic records management and daunting increases in the volume of data to be retained in an accessible manner are dictating different strategies for storage.
New Regulatory Standards for Electronic Records Management
In the wake of disturbing excesses on the part of some businesses and their executives, lawmakers and regulators are implementing a new round of more aggressive laws, increased regulation and stepped up enforcement. More aggressive laws, such as Sarbanes-Oxley, establish new levels of personal liability for IT managers and personnel. Record integrity requirements have added a new dimension to storage planning that was primarily backup and recovery oriented. New integrity standards include such elements as:
* Written records management and retention policies
* Proof of consistent adherence to those policies
* Ability to prove that the archives are complete and not selective
* Ability to prove that the entries in the archives could only have been created at the point in time indicated
* Ability to prove that the archives are tamper-proof
These standards for the integrity of records, particularly electronic records, are also being affirmed in the courts. The climate of tolerance for irresponsible records management, whether intentional or inadvertent, has come to an end. Previously common practices of not retaining records as a means of dealing with the risk of data content have become points of both enterprise and personal risk. Numerous cases in the courts have created a body of legal precedence that penalize both companies and their management.
Every business has records management regulatory requirements. From the smallest professional company with only a few employees to large global enterprises operating in multiple regulatory jurisdictions, all companies have regulatory requirements. The migration of the majority of information, from physical to electronic form with specific regulatory standards, is shifting the burden of managing this data. Record retention and management has now become an IT problem.
"Regulatory compliance should not be viewed as a corporate tax that IT must burden," commented Peter Gerr, an analyst with ESG. "There are unique opportunities for businesses to classify their information assets and protect them accordingly all the while enabling the compliance process. To that end, the first step customers need help with is understanding the risk associated with their current technology and procedures. Risk assessments, from backup infrastructure to record retention policies, must be conducted prior to any technology purchases or process change." The Regulatory Requirements aspect of Compliance Profiling is to use the regulations to develop an IT infrastructure profile that can respond to a wide variety of regulatory requirements.
The Regulatory Requirements of Compliance Profiling defines the requirements specifications needed to be able to address the spectrum of regulations confronted by a company. The IT Functionality describes the features and functions the IT infrastructure must have in order to be able to support applications that address specific regulatory requirements.
IT planners, strategists and managers are confronted with the demand for new regulatory compliance capabilities just at the time when new infrastructure is being planned and rolled out. These new regulatory requirements tend to delay decisions and implementation of critical infrastructure. Compliance Profiling provides IT management with a comprehensive plan for addressing current and future compliance requirements in an integrated and cohesive manner without extensive regulatory analysis. Compliance Profiling creates a reference document for IT planners to use so that the infrastructure can better absorb regulatory requirements without major redesign or the development of costly and hard to support "point" solutions.
The value of Compliance Profiling is that it enables IT to keep to planning and implementation timetables while still being able to respond to specific regulatory requirements as they arise. The additional value of reducing the cost of satisfying specific regulatory requirements is an added bonus.
Compliance Profiling is accomplished by addressing the relationship between regulatory requirements and IT infrastructure platforms from several different perspectives. These include:
* Regulatory Requirements
* IT Functionality
* Central Information Store Strategy
* Information Lifecycle Management
* Media Storage Life
* Litigation Support
* User and Regulatory Access
Information Lifecycle Management
A key part of a responsive regulatory IT infrastructure deals with Information Lifecycle Management. At different points in the life of information, the urgency of retrieval and the universality of access changes and affords opportunities to move data to more cost-effective means of storage. This helps maximize the operational and regulatory value of the most costly infrastructure while not compromising the integrity of the regulatory archive.
Media Storage Life
Media Storage Life becomes more critical as records retention requirements extend the horizon dates of information. Some regulations require retention of records for more than 30 years. We have already seen instances where some types of storage media will fail long before those dates. Part of the Compliance Profile is the development of a data retention strategy that ensures the availability of data for its entire retention life.
Longer retention periods, greater proliferation of data, and the growing size of records all combine to drive rampant growth in storage and, as a result, in storage infrastructure. The ability to absorb this growth is critical to ongoing viability of a compliant IT infrastructure.
In addition to regulatory requirements, the archive should be an effective litigation support tool. The characteristics of a credible regulatory archive are very similar to the requirements for a responsive and cost-effective litigation support system. Litigation Support has unique record segregation and retention requirements that should be addressed in every enterprise IT plan.
User and Regulatory Access
Another important element in completing a Compliance Profile is to understand what access users and regulators require. User requirements will tend to focus on more recent data while regulatory interests may focus on older data. Some regulations specify how fast and in what manner regulators must be able to access information. An effective compliant design will accommodate both types of requirements.
The Long-Term Impact
The long-term impact will focus on managing the cost of records storage while creating an infrastructure that can be responsive to specific current and future regulatory requirements. The idea is to create a "Compliance Ready Infrastructure". By taking this approach, infrastructure planning and development can commence without the need for a detailed analysis of the compliance requirements. The detailed analysis will need to be done in conjunction with the implementation of each of the compliance platforms. Part of that detailed analysis will determine how to use the existing infrastructure to its best advantage.
Compliance Profiling puts control of IT planning back in the hands of IT strategists without giving up the ability to cost effectively address both current and future regulatory compliance requirements. It is not exclusively a regulatory review but requires a convergence of both regulatory expertise and a broad knowledge of available infrastructure solutions support from an organization that embodies both. According to Gerr, "Service organizations undoubtedly play a significant role when customers initially address compliance from a technology perspective. They are the rangers who help identify high-risk areas in process and procedures and can ultimately point customers to the appropriate solution."
Regulatory Compliance Summary Regulations Over 15,000 regulations in U.S. alone for federal, state & local laws (e.g. Sarbanes-Oxley, HIPAA, SEC 17.a-4) Significant penalties for non-compliance Compliance & Blend of process, people & technology to effectively Corporate manage and maintain your records Governance First, determine your specific compliance requirements, process changes needed & use of technology Impact on Must be maintained for long periods of time Information Must be readily accessible, even across future Management technologies Must be retained securely and in original format / unalterable Enabling Networked storage infrastructure, consolidation of control Technologies WORM-like (Write Once Read Many) media options Policy-based message management software for archival (Images courtesy of Enterprise Storage Group)
Thomas Bookwalter is vice president of Compliance Solutions for SANZ Inc. (Castle Rock, CO)
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Regulatory Compliance|
|Publication:||Computer Technology Review|
|Date:||May 1, 2004|
|Previous Article:||Information lifecycle management: the next wave.|
|Next Article:||New ILM solutions for regulatory compliance: case study on how a customer achieves both financial and operational efficiencies.|