Compliance Concerns and Storage Management

By Tom Schmidt

CIOs are accustomed to evaluating storage systems and technologies based on such issues as performance, capacity, and manageability. But today it's just as important for them to also look at such things as data preservation, security, and distance replication. That's because, when it comes to storage and storage management, regulatory compliance is now a key consideration.

How much are new regulations impacting enterprise storage decisions? Let's consider a few examples.

For financial services companies, the Securities and Exchange Commission's SEC Rule 240.17a-4(f) requires companies to store data (email and business records) on non-rewritable and non-erasable media. The rule also requires that duplicate storage media keep track of the time and date of each data item for the required retention period. This has created a big demand for WORM (write once, read many) storage systems.

Or consider HIPAA (the Health Insurance Portability and Accountability Act). According to HIPAA guidelines, patient records must be kept in secure data repositories and retained for two years after a patient's death.

Then there's the Sarbanes-Oxley Act. Described by one observer as "broad in its reach, short on implementation specifics, and bristling with teeth," Sarbox has focused the attention of IT departments and storage specialists to an unprecedented degree since it became law in 2002. As a piece of legislation that seeks to enforce financial accountability, it doesn't call for specific record types to be retained or mandate recovery times for archived records. But as tech publication Enterprise Storage Forum observed recently, "Sarbanes-Oxley requires storage of all relevant financial records, and in most cases that includes unstructured and semi-structured data such as email."

That's a tall order. And since there is no clear dividing line between what information they must keep and what they can discard, many organizations are taking an inclusive approach, "storing everything that might have a bearing on financial reporting, and ... in some cases they are claiming they are keeping everything forever," according to Enterprise Storage Forum.

But in the long run, such a "hold everything" policy may do more harm than good, industry experts say, because information that is maintained but not required for compliance does a company no good -- and even has the potential to backfire in the event of legal discovery.

"A big disconnect"

In the course of developing the "Data Storage Outlook" in the summer of 2004, infrastructure provider Corporate Technologies found that most of the IT decision makers it interviewed were "very concerned" about the impact of regulations on their IT organizations, including storage. But while these executives were able to identify which regulations apply to their organizations, most said they did not understand what they needed to do to be compliant.

A majority of these same executives also said that increasing storage capacity is one of their top concerns. That's consistent with the findings of a 2004 survey by Horison Information Strategies, a consulting firm that researches the storage market, which found that the amount of corporate data is increasing at an average rate of 50 percent to 70 percent every year.

Yet as "Data Storage Outlook" and other recent surveys have noted, most companies have no plans to augment their storage staffing to accommodate this increased capacity. As Corporate Technologies CTO Peter Baer Galvin put it: "There is a big disconnect there." Spending plans do not sync up with the realities of storage requirements, he added. In other words, CIOs and IT departments are again being asked to do more with less, and to act more quickly and with greater impact on business success.

The move to centralization

In light of this situation, the trend among enterprises has been "to move storage from direct- and network-attached storage to storage area networks, centralizing data and connecting different kinds of hardware," as CIO Insight observed in an October 2004 article. As a result, managing the storage infrastructure has become a major effort. At the same time, the article noted, "the benefits of a centralized storage management system are numerous. First, the system can greatly reduce backup and recovery times -- one of the most time-consuming tasks in the data center -- in some cases from days to hours. ... Deeper insight into your storage systems also means increased efficiencies from optimizing storage capacity, and that translates into savings."

Such "nimbleness" is especially germane to compliance. Section 409 of Sarbox, for example, explicitly requires companies to make "rapid and current" disclosures concerning "material changes" to their financial conditions -- even though there are no hard rules regarding the timeliness of response when records are requested. A number of industry observers have interpreted "rapid and current" to mean 48 hours, noting that rapid recovery will be used increasingly as a measurement of the soundness of a company's records management.

Policy based on business needs

Ultimately, today's demanding regulatory environment is forcing enterprises to fundamentally re-evaluate their document retention policies. According to "Data Storage Outlook," while more than 34 percent of respondents store their employee email indefinitely, more than 44 percent report having policies in place that define the email retention timeframe: 30 days or less, 60 to 90 days, one year, and two to seven years. Just over 12 percent report having no formal email retention policy.

Respondents also expressed growing frustration with spam. Many of them said spam is impacting their storage requirements since some regulations require that companies store email indefinitely.

Clearly, given the dramatic increase in email traffic, and regulators' increasing focus on email, no enterprise can afford to conduct business without specific email retention and supervisory review procedures, and without utilizing advanced technology to achieve effective compliance with those procedures. Chief among the compliance requirements that affect storage and records management: tamper-proof records, compliance supervision, timely search and retrieval, rules for deleting records, and duplicate storage.

The following basic steps should be taken to align storage practices and regulatory compliance:

• Determine business-driven criteria and processes for records management, retention, and destruction.
• Establish a records management policy based on the determination.
• Implement and audit the policy.

Keeping information available and secure

The proliferation of regulations requires all enterprises to carefully assess how they manage, preserve, and access their critical data. They have no other choice. Failure to comply with regulations can result in lost business and customer confidence, in addition to financial and legal liability.

Yet storing and protecting that data becomes more challenging all the time. The amount of data that needs to be stored and made available grows every day, and threats to the security of this vital information continue to increase.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.