There's more to regulatory compliance than data retention -- other exposures could present significant problem...
It's safe to say that compliance is having a major impact on the IT infrastructure. Data protection is now viewed with greater scrutiny. Senior managers are showing a newfound interest in once-mundane topics like backup, as well as demanding more information. CIOs now want to know: "Does allowing end users to restore their own files violate Sarbanes-Oxley (SOX)?" and "How does our incremental backup rotation policy impact our ability to recover?"
Storage managers are responding in a variety of ways. Some are educating themselves about the regulations that affect their organizations. Many are looking at the data-retention requirements of SOX, HIPAA, SEC 17a and so on, and are modifying backup policies accordingly. Others are considering technology solutions to assist in compliance efforts.
Despite these efforts, the risk of not adequately addressing all the elements required to successfully withstand a compliance audit remains. That's because compliance goes beyond just data retention. For storage, compliance can be grouped into two focus areas: data management and governance. Retention policy is an important element of data management, but there are other factors to consider, including security and retrievability. On the other hand, good governance represents a significant challenge that often doesn't receive the attention it deserves.
Compliance foundation -- the prudent man
A company must demonstrate a good faith effort to meet regulatory requirements. This may sound obvious, but compliance legislation rarely spells out exactly what needs to be done. A great deal is left open to interpretation. For example, a regulation may require e-mail to be retained for seven years. But which e-mail messages need to be retained -- every message, including spam? And the question of how it must be maintained isn't addressed in most legislation. While SEC Rule 17a-4 for the financial industry says data must be stored offsite on non-rewritable media that's indexed and easily retrievable, most regulations are much less specific. The implicit expectation is that the company is acting prudently and in good faith, subjective terms that are open to legal interpretation. So it's essential that compliance policies be driven by corporate legal counsel or compliance officers. IT should take direction from them to determine the appropriate data management policies that demonstrate that the company is acting prudently. The policies must then be formally documented.
Data management for compliance
The data management aspect of compliance includes several elements. To be compliant, an organization should have policies for each element. Briefly, they're as follows:
Retention. Retention has been the primary focus of storage compliance, and represents how long a set of data must be preserved by the organization.
Retrievability. Retrievability defines how quickly a set of retained data needs to be accessed. Much retained information is rarely accessed but, when it's needed, a quick turnaround may be required to be in compliance.
Security. Compliance regulation is fundamentally about managing data risk, and security is one of the primary risks to be addressed. Until recently, security received scant attention within most storage environments. Policies regarding data access are central to regulations such as HIPAA, the Gramm-Leach-Bliley (GLB) Act and California SB 1386, as well as implicit in SOX and other financial regulations.
Integrity. Integrity is the assurance that retained data hasn't been altered or corrupted. Integrity requires retained information to be maintained on read-only media, with policies and procedures to protect and recover data from corruption. Long-term implications of legislation such as HIPAA have significant consequences on ensuring integrity.
Renderability. While integrity ensures that data hasn't changed, renderability relates to the ability to read the data. A 20-year-old file or database presents renderability challenges because it may be stored on media that can't be read by current devices or the software used to create it is no longer available. There should be data-conversion processes in place that transform and migrate data over time to enable continued renderability while ensuring data integrity.
Data copy/relocation. To support retention, integrity and renderability, data is copied/moved on a scheduled and ad hoc basis. Policies and processes that demonstrate and document that data copy activities such as backup and archiving have been completed successfully are critical.
Restorability. Apps and data must be restorable to specific RTOs and RPOs to protect against unacceptable data loss. A prudent IT department will be able to demonstrate a testing process that proves recoverability at the file, server, application, app group and data center levels.
Each of these data management elements is important from an overall data protection perspective. But some may be more critical than others depending on specific regulations. SOX focuses on availability, integrity and protection of financial data. HIPAA stresses long-term data retention and security. GLB addresses privacy and security, and isn't concerned with retention beyond consumer privacy implications. The specific regulations affecting a company will be the key to formulating a data management policy and selecting technology.
Compliance dictates that data must be retained, retrievable, secure and properly handled. But an organization must also be able to act on its policies and provide evidence that it's doing so. This is the realm of governance. Governance relates to the people, processes and metrics within an organization, and the ability to achieve required objectives. Governance questions include:
- Does the organization's leadership demonstrate a clear commitment to ensuring compliance?
- Are all appropriate policies documented and understood by employees?
- How well does the organizational structure support these policies? Are appropriate roles in place and responsibilities understood?
- Are there documented standard operating procedures (SOPs) in place that directly implement and support organizational compliance policies?
- Are controls in place with an auditing and reporting structure to confirm that policies and processes are adhered to?
A comprehensive governance framework touches all aspects of an organization. Here are several items to consider:
Infrastructure mapping. The storage infrastructure should be mapped and current. Clear logical and physical schematics with supporting documentation that demonstrates and supports data management policies relating to availability, security, etc. are a prerequisite for compliance.
Metrics and reporting. Appropriate metrics and reporting related to data management often don't exist or are in a format that's difficult to consolidate and analyze. In most IT infrastructures, each functional area has low-level performance metrics related to devices and other elements. However, most organizations aren't able to correlate and merge the disparate data to produce high-level reporting that demonstrates appropriate management of critical data.
Organizational structure. Well-defined roles and responsibilities are required for good governance. Each individual must understand their role and how particular regulations affect it. This includes interactions within the storage organization, as well as with lines of business and other groups.
SOPS. Documented procedures and processes designed to support corporate policies are essential to achieve compliance. If the policies don't exist, address this deficiency.
There are plenty of resources available to support a compliance effort. The Information Systems Audit and Control Association and its sister organization the IT Governance Institute provide an internationally accepted framework called Control Objectives for Information and related Technology (COBIT). COBIT provides best-practice guidelines for the control of information, and includes high-level performance measurement elements, critical success factors and maturity models that can be used to build an IT governance strategy.
For storage, specifically adapting such a framework requires defining the necessary policies, and then developing the processes and metrics to support them. It also means obtaining the appropriate tools to provide the metrics necessary to demonstrate policy adherence. Above all, compliance requires organizational discipline, commitment to a good governance approach and conscientiously following through with each of these components.
About the author
James Damoulakis is CTO and Phil Poresky is storage practice manager for GlassHouse Technologies.