STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure
Post on 25-Feb-2016
36 Views
Preview:
DESCRIPTION
Transcript
STORAGE MANAGEMENT/EXECUTIVE:
Managing a Compliant Infrastructure
Processes and Procedures
Mike CaseyPrincipal AnalystContoural Inc.
Agenda
Anticipate the impact of future compliance requirements
Get agreement on policies & processes
Leverage best practices & standards
Link compliance with ILM to minimize risks & costs
Anticipate the impact of future compliance requirements
Policy drivers: regulatory compliance, litigation readiness, stakeholder expectations
Anticipate changes and new requirements, by understanding these drivers
Strategy: Understand the common policy goals that drive regulatory activity – and the common technical capabilities that enable organizations to comply
Policy goals drive archiving goals
Operational needs• End-user productivity• Customer service levels • Corporate IP protection
Litigation readiness• Liabilities and risks • Discovery costs
Regulatory compliance• Laws• Regulations• Standards• Guidelines
Archiving goals
• Retention
• Security
• Efficiency
Foundations of compliance & ILMRecords management Archiving
Record definition• Identification • Classification• Index & search
Storagemanagement• Media • Migration • Cost
Retention • Retrieval• Disposition
Security • Integrity • Confidentiality• Accessibility
What to save How to save it
Archiving goals and capabilities
Admini-strative
Technical Physical
Admin. retention
Technicalretention
Admin. efficiency
Admin. security
Physicalretention
Technicalsecurity
Physicalsecurity
Technicalefficiency
Physicalefficiency
Security goals• Integrity• Confidentiality (privacy)• Availability (transparency)
Retention goals• Scope (completeness)• Duration
Efficiency goals• Service levels• Cost reduction
Example: Technical security capabilities
45 CFR 164 -- Subpart CSecurity Standards for the Protection of Electronic Protected Health Information
164.312 Technical safeguards•(a) Access control. Implement technical policies and procedures... to allow access only to those persons or software programs …
•(b) Audit controls. …•(d) Person or entity authentication..•(e) Transmission security. ... • (e)(2)(ii) Encryption …
HIPAA security rule
SecurityTechnical capabilitiesAuthenticationAccess controlsAudit logsBackup & recoveryMedia controlsData permanenceE-signaturesEncryptionExpungement
Get agreement on policies & processes
Assess Policy Architect Deploy Manage
Response to change Ongoing operation
1 2 3Compliance initiative: Process steps
Step one: Assessment
Regulatory compliance
Litigation readiness
Stakeholder expectations
1
Regulatory compliance
Data Protection Act (UK) and similar laws implementing EU Directives
GMP Directive (EU)
Basel II ISO 9000
Europe:
United States:
Global:
Securities Banking InsuranceHealth
insuranceHealthcare
Medicaldevices
Financial services Health services Life sciences
Drugs
Sarbanes-Oxley Act
Gramm-Leach-Bliley Act HIPAA 21 CFR 11, GxP
Litigation readinessDiscoveryrequested
by one party
Resultreview
Deliverresponse
To thecourt
Firstinternal
awareness
Discoveryrequest
Courtorder
issued
Issueinternal
retention hold
Search, Query
ArchiveDB
Userdirectory
Discovery depends oneffective archiving
Other8%
Not sure42%
Preserving all email and IM content for long periods is least
risky 29%
Deleting all email and IM content on a
regular basis is least risky21%
Not sure42%
Other8%
Preserving all e-mail and IM content for long periods is least risky: 29%
Enterprise views toward e-mail and IM archiving
Deleting all e-mail and IM content on a regular basis is least risky: 21%
Source: Osterman Research
Stakeholder expectationsOperational perspectives
Application perspectives
Legal perspectives
Technology perspectives
CEO CFO Records mgr Compliance
Officer
Storage admin
System admin
CIO
End user Application
admin
Legal counsel
Step two: Policy development
Save almost nothing
Selective deletion
Selective retention
Save nearly everything
IMPACTSPOLICY CHOICE
Example – Retention scope
2
Regulatory compliance
Litigationreadiness
Stakeholderexpectations
Step two: Policy development (2)
Example – Retention periods
Many, content-based
Few, organization-based
One for all
IMPACTSPOLICY CHOICE Regulatory compliance
Litigationreadiness
Stakeholderexpectations
Step three: Define architecture and processesProvide required and recommended capabilities
for retention and security
Use technology to enable cost-effective retention, storage and migration over lifecycle
Start with point solutions and information silos if needed, but move toward an integrated ILM architecture as technology evolves
3
Leverage best practices & standards
Example 1: HIPAA Security RuleExample 2: Sarbanes-Oxley ActExample 3: DoD 5015.2 Standard
Example 1: HIPAA
Example 2: Sarbanes-Oxley Act
IT Control Objectives for Sarbanes-Oxley IT Governance Institutewww.itgi.org and www.isaca.org
SEC refers to the COSO framework
Auditors endorse IT control frameworks
• COBIT
• ISO/IEC 17799
Example 3: DoD 5015.2-STD
Securitytechnical capabilitiesAuthenticationAccess controlsAudit logsBackup & recoveryMedia controlsData permanenceE-signaturesEncryptionExpungement
•C2.2.3.23. RMAs shall enforce data integrity …
•C2.2.5.2. The RMA shall prevent unauthorized access to the repository.
•C2.2.7.1. The RMA … shall use identification and authentication …
•C2.2.7.4. If the RMA provides a web user interface, it shall provide 128-bit encryption
•C2.2.6.6.3. RMAs shall delete electronic records … in a manner such that the records cannot be … reconstructed.
•C2.2.8.1. The RMA … shall provide an audit capability to log the actions, date, time, unique object identifier(s) and user…
Records Management Applications
Link compliance with ILM to minimize risks and costs
Compliance initiatives can minimize risk by establishing policies and processes for response to new regulations – and for anticipating future regulations and standards
Best policy response is commonly to retain more data, for longer retention periods
ILM processes and architecture can help reduce storage and management costs, making increased data retention feasible and affordable
TCO example for e-mail archivingHard IT costs• Storage hardware• Archiving software• Operations/IT staff• MaintenanceSoft costs• User productivity• Operational costsPotential costs• Litigation discovery• Increased liability• Regulatory discovery• Potential penalties
$9
$6
$80Potential
$53
$210
$102Total
$4
$0
$19Soft
$40Save nearly everything intelligently
$204Save nearly everything (primary disk)
$3Save nothing (delete at 30 days)
Hard
Average costs per e-mail user per year
POLICY CHOICE
ConclusionsUnderstand common compliance goals and technical
capabilities
Start with business needs assessment: compliance, litigation and stakeholder requirements
Use standards and best practices to guide policies, processes and architecture
Define ILM policies and strategies to enable cost-effective implementation
Questions?Ask the Expert
Resources• www.searchstorage.com• www.contoural.com• www.graycary.com• www.ostermanresearch.com
searchstorage.techtarget.com/ateQuestion/0,289624,sid5_tax295552,00.html
top related