© 2004 EMC Corporation. All rights reserved. 111 Service Strategies Showcase - Boston Impact of Regulatory Compliance on Remote Support Tom Ellwood Sr.

© 2004 EMC Corporation. All rights reserved. 111

Service Strategies Showcase - Boston

Impact of Regulatory Compliance on Remote Support

Tom EllwoodSr. Manager - Remote Support TechnologiesEMC Corporation

11/11/2004


Agenda

Remote Support – Defined EMC Support At-A-Glance Remote Support Technology –

Historical Perspective Regulatory Requirements

Fundamentals Intersection of Remote Support

and Regulatory Compliance Impact of Compliance on Internal

Policies and Product Development

Future Trends Summary and Questions


Remote Support- Defined

A combination of technology, processes and people which enables the monitoring and management of devices from a remote facility.

The benefits include the following:–Increased Customer Satisfaction –Proactive response to product generated alerts–Ability to remotely diagnose and repair– Increased product availability–Lower mean time to repair–Reduced service costs–Enhanced Customer usage and product performance statistics


EMC Overview

$6.24B in revenue in 2003

$1.97B in Q2 ’04 revenue– Double-digit year-over-year growth in

each business– Systems revenue up 16% from Q2 ’03– Software revenue up 64% from Q2

’03– Services revenue up 45% from Q2 ’03

$3.1B in R&D last four years

$6.7B in cash and investments

2,000+ storage-related patents

$2B+ interoperability investment

7,200+ Services professionals

21,400+ employees worldwide

Strong strategic partnerships

“[Customers] are looking for broader ‘best of breed’ solution sets and better service and support, and they are uncompromising when it comes to improving the total cost of ownership and overall returns on their IT investments. We think our strategy and our portfolio are very well suited for this challenge.”

— Joe Tucci,President and CEOJuly 20, 2004


Recognized Leadership

#1 provider of storage management software in 2003 for fifth straight year (Gartner Dataquest)

#1 provider of external RAID storage in 2003 for seventh straight year (IDC)

#1 provider of networked storage (IDC) “Leader” in:

– SAN integrated solutions– SAN management software– Midrange enterprise disk arrays– High-end enterprise disk arrays

$3.5 billion in acquisitions in 2003 – Legato– Documentum– VMware

EMC leads the Industry in

best-of-breed hardware, software,

services, and solutions

EMC leads the Industry in

best-of-breed hardware, software,

services, and solutions


EMC Support Services At-A-Glance 4,000+ in Customer Services 3,000+ consultants and

technology professionals 275+ Cooperative Service

Agreements 30+ Authorized Services

Partners 70+ Customer Services partners Three practices focused on best

practices for storage implementation, integration, and management

Powerlink eServices: access to over 20,000 Knowledgebase solutions and web support

Most rapid escalation practices in the industry with 4-levels of customer defined priorities

24-hour mission-critical “follow the sun” support with 11 strategically located support centers

Joint Solution Centers with leading software vendors Oracle and Microsoft for rapid resolution of joint customer events

4,000+ in Customer Services 3,000+ consultants and

technology professionals 275+ Cooperative Service

Agreements 30+ Authorized Services

Partners 70+ Customer Services partners Three practices focused on best

practices for storage implementation, integration, and management

Powerlink eServices: access to over 20,000 Knowledgebase solutions and web support

Most rapid escalation practices in the industry with 4-levels of customer defined priorities

24-hour mission-critical “follow the sun” support with 11 strategically located support centers

Joint Solution Centers with leading software vendors Oracle and Microsoft for rapid resolution of joint customer events

“EMC’s service programs and reputation provide customers with confidence that EMC will do whatever it takes to prevent problems and to fix problems when they do occur.”

—Gartner Dataquest: IT Vendors Offer Technology-Enhanced Remote Support Services, December 2002

Source: Gartner Benchmarking Hardware Service Operations, June 2002

Service Metric EMC Industry Benchmark

Dial home response resolved before the customer is aware of issue

94.3% 43.9%

First-time resolution 95% 89.6%

Parts available under warranty 98.5% 95.4%

Calls with four hour or less onsite response 100% 75.9%

Winner of Software Technical Assistance Recognition (STAR) award for outstanding mission-critical support

— Service and Support Professionals Association (SSPA) 2001, 2002, 2003, 2004

“Best in class service. A model for all other IT providers in project execution. A model for zero downtime…”

—General Motors, in naming EMC Supplier of the Year (Winner 1999–2003)


EMC’s Support Environment

EDM

LAN

Linux

Ap

pli

ca

tio

nS

erv

ers

Pla

tfo

rms

Windows

ControlCenterControlCenter

Ma

na

ge

me

nt

CLARiiON CX Series

SRDFSymmetrixDMX2000

SymmetrixDMX1000

Symmetrix8000

ControlCenterServer

Centera

Ac

ce

ss

WebServers

Celerra

CelerraNS600

Users

UNIXMainframe

Connectrix

Symmetrixz8530

Legato andDocumentum


EMC’s Proactive Support Model

EMC Product

Customer Engineerand Registered Technical

Specialist

EMC Customer Support Center

Technicians

1

e-mail home or call home(modem or I-

Net)

PSE Lab (Hardware support)

2Dial-in

3

Solutions Support Center

Problem escalation

4

Local expertise

4

Site visit

5

Engineering



Examples of Remote Support at Consumer Level

“I’ve fallen and I can’t get up”

HELP !!


Remote Support Technology – Past and Present

Focused on Hardware Platforms

Primarily Emphasis on Product Monitoring

Telephony and Modem Based Connectivity

Phone and Modem Costs Limited Use to Large Vendors

Proprietary Infrastructure

Limited Use of Remote Access or Analytical Tools

Limited Security Concerns

Focused on Hardware Platforms

Primarily Emphasis on Product Monitoring

Telephony and Modem Based Connectivity

Phone and Modem Costs Limited Use to Large Vendors

Proprietary Infrastructure

Limited Use of Remote Access or Analytical Tools

Limited Security Concerns

Hardware and Software Platforms Leveraging Technology for Value-

Added Services IP or Network Connectivity

Options Increasing Internet Enabled Widespread Use

of Inexpensive Bandwidth Open Framework Autonomic Computing Initiatives

Driving On-Board Diagnostic Tools and Self Healing

Significant Security Concerns Resulting From Use of Public Internet and Compliance Mandates

Hardware and Software Platforms Leveraging Technology for Value-

Added Services IP or Network Connectivity

Options Increasing Internet Enabled Widespread Use

of Inexpensive Bandwidth Open Framework Autonomic Computing Initiatives

Driving On-Board Diagnostic Tools and Self Healing

Significant Security Concerns Resulting From Use of Public Internet and Compliance Mandates

Past Present


Support and Service Evolution

Source: Aberdeen Group, August 2002

We are here


Today’s Support Challenges

Compliance>16,000 regulations

worldwide

Reduce Support CostsUtilization

ConsolidationSupport Automation

Increase Support Revenues

More Value-Added Services

Expanded PartnerRelationships

Sales and Support Channelsexternal from organization

Increased Complexity

Minutes=MillionsSupporting Customer’s

Business – Not just your Product


The Compliance Challenge Keeps Growing

The Privacy Act of 1974The Privacy Act of 1974

The Computer Security Act of 1987 The Computer Security Act of 1987

The Computer Matching and Privacy Protection Act of 1988 The Computer Matching and

Privacy Protection Act of 1988

The Electronic Communications Privacy Act The Electronic Communications Privacy Act

The Gramm-Leach-Bliley ActThe Gramm-Leach-Bliley Act

The Health Insurance Portability & Accountability Act (HIPAA)

The Health Insurance Portability & Accountability Act (HIPAA)

EU Data Protection Directive (95/46/EU)EU Data Protection Directive (95/46/EU)

Electronic Communications Privacy Directive (2002/58/EU)

Electronic Communications Privacy Directive (2002/58/EU)

UK Data Protection Act UK Data Protection Act

Data Protection Amendment 2002 Data Protection Amendment 2002

Law of August 29, 1997 on protection of personal data Law of August 29, 1997 on

protection of personal data

Basel IIBasel II

Promotion of Access to Information Act Promotion of Access to Information Act

DOD 5220.22-M DOD 5220.22-M

US DoD 5015.2-STD – Design Criteria Standard for Electronic Records Management

US DoD 5015.2-STD – Design Criteria Standard for Electronic Records Management

US Army Regulation 25-1, Army Information Management, May 2002; Reg 25-2, Information Assurance, Sarbanes-OxleyUS Army Regulation 25-1, Army Information Management,

May 2002; Reg 25-2, Information Assurance, Sarbanes-Oxley


Compliance Means Following the Rules…and Being Able to Prove It

SEC 17a-4

Sarbanes-Oxley

GLBA Rev. Proc 97-22

MoReq CRFB - France

BaFin – GermanyBasel II

Data Protection Act of 1998

NASD 3010

US Patriot ActHIPPA

UK Metadata Framework

Dicom

eSign Act

Freedom of Information Act of 2000

ISO 15489-2

21 CFR Part 11

DoD 5015.2

FERC Part 125

Environmental

Manufacturing

Employment

Finance

Healthcare

© 2004 EMC Corporation. All rights reserved.


“Following the Rules” Requires Common Goals

Common Compliance Information

Goals

Integrity

Confidentiality

Accessibility


20,000 regulations – 3 common themes– Retention– Assured authenticity– Security / disaster recovery

Common IS Goals– Integrity– Confidentiality– Accessibility

How are regulations & IS goals applied – In the Information Infrastructure ???


HIPAA 45 CFR 164 – Health Care

Industries Health Care Providers Medical Insurance

PharmaceuticalsBiotechnology

HIPAA: 45 CFR Part 164Security and Privacy Rule

• 164.306 “… entity must comply with standards as provided in this section and in 164.308, 164.310, 164-312, 164.314 and 164.316 with respect to all electronic protected health information

• 164.308(a) “Risk Analysis to assess risks to the confidentiality, integrity and availability of electronic protected health information.”

• 164.312(a) “…allow access to only those persons or software programs that have been granted access rights….”

• 164.312(b) “Audit Controls -..record and examine activity in information systems that contain or use protected health information”

• 164.312(d) “Implement procedures to ensure that person or entity seeking access……is the one claimed”

• 164.312(e)(2) Transmission Security …”encrypt electronic protected health information whenever deemed appropriate.”

SpecifiedCapabilities

Integrity

Accessibility

Confidentiality

System Validation

Audit Trails

Authentication

Encryption


Access Control& Logs


FDA 21 CFR 11 – For Pharmaceuticals

IndustriesPharmaceuticalsBiotechnologyMedical DevicesFood

FDA: 21 CFR Part 11

Electronic Records and Signatures

• 11.10 “… procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records”

• 11.10(a) “Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered reports”

• 11.10(c) “Protection of records to enable their accurate and ready retrieval throughout the records retention period”

• 11.10(d) “Limiting system access to authorized individuals”

• 11.10(e) Use of secure, computer-generated, time stamped, audit trails that “shall be retained for a period at least as long as that required for the subject electronic records …“

• 11.30 Controls for open systems…“additional measures such as document encryption …”

SpecifiedCapabilities

System Validation

Retention Mgmt

Authentication

Encryption


Integrity

Accessibility

Confidentiality

Access Control& Logs

Audit Trails


Section 302 Section 302

CEO and CFO must certify their financial statements – no IT implications

Deadline: In effect now

Section 404Section 404

Auditors must certify internal controls and processes in addition to financial numbers

Deadline: Extended to November 2004

Section 409Section 409

Companies must provide realtime disclosure of material events that might effect performance, realtime reporting (Promote full disclosure and constant awareness)

Deadline: Coming soon

The Sarbanes-Oxley

“Certification”

“Internal Controls”

“Disclosure”

The Sarbanes-Oxley Act of 2002 has rewritten the rules for corporate governance disclosure and reporting. Good corporate governance and ethical business practices are no longer niceties – they are the law.


Regulatory environment and security awareness lead to new customer behavior

New customer security behavior

Increased awareness of financial liabilities

Business loss – Reputation and $$$

Prosecution

New customer security behavior

Increased awareness of financial liabilities

Business loss – Reputation and $$$

Prosecution

Privacy & governance regulations

California law SB 1386

HIPAA

Gramm-Leach-Bliley Act

Sarbanes-Oxley

Privacy & governance regulations

California law SB 1386

HIPAA

Gramm-Leach-Bliley Act

Sarbanes-Oxley

Hostile environment

210 million complaints reported to the FTC identity theft clearinghouse by year-end 2003 (source FTC)

56% of US corporations had unauthorized use of computer systems in 2002 (source FBI)

3,784 software vulnerabilities reported in 2003 (source CERT)

SQL Slammer worm caused an estimated $1billion loss to businesses in January 2003

ENRON

Hostile environment

210 million complaints reported to the FTC identity theft clearinghouse by year-end 2003 (source FTC)

56% of US corporations had unauthorized use of computer systems in 2002 (source FBI)

3,784 software vulnerabilities reported in 2003 (source CERT)

SQL Slammer worm caused an estimated $1billion loss to businesses in January 2003

ENRON


Intersection of Compliance and Product Support

Privacy Regulations California law SB 1386 HIPAA Gramm-Leach-Bliley Act Sarbanes-Oxley

Customers Financial institutions Public companies Healthcare …

Customer Service SLA & Support agreement On-site support Remote support

Internal controls Accuracy of audit records Security breach reporting Privacy policies Security forensics

Controls & regulations impact: Remote support infrastructure Product architecture Privacy Policy Customer Service processes

Products and Customer Products and Customer Service employees are now Service employees are now part of a regulated environmentpart of a regulated environment


Impact of Compliance on Remote Support

VendorVendor CustomerCustomer

CRMCRM

VendorNetwork

Web Servers

DataBaseDataBase

Internet

SupportEngineer

•Encryption•Firewall Rules• Privacy Policies

• Authentication• Role Based Access• Security Training• Process Audit

• Remote Access Logs• Change Control Logs• Support Logs

Customer Network

Firewall

• Host Vulnerabilities - AV & O/S Updates - Active Services• Authentication• Audit Logs• Access Control• Change Control• Media Protection

Firewall

Monitored Device

Monitored devices

Application Servers

Bottom LineBottom Line::

My Network; My My Network; My Rules!Rules!


Understanding the Rules for Remote Support - Guidelines

Engage your customers early and often– It’s more than market research – Understand Their business

• Security Policies for Remote Access• Compliance Requirements• Availability Needs• Service Level Agreements• Additional Services• “WIIFM”

– Include representative customers in design and feature requirements – Both End Users and Network Security

– Enlist Customers in messaging and deployment strategy

One size doesn’t fit all Security is a blend of process and technology Prepare to have your Remote Support processes audited Design ‘Security Friendly’ products


Product Security Policy

Defining policies to address security throughout the product lifecycle

Design & Design & ArchitectureArchitecture

Product Product developmentdevelopment

Product QA & Product QA & testingtesting

Polic

yPolic

y

Product feature policy:

Authentication & Authorization

Audit

Secure communication

Password management

Encryption

Standardization

Development policy

Prevent vulnerabilities: Buffer overflow …

3rd party product policies:

• security patches,

• default configurations

Security policy validation

Product QA in secure environment

Security scanning

Accreditation & certification

Customer Customer ServiceService

Remote support policy

Privacy policy

Customer controls

Vulnerability response policy

Security patch & antivirus

Customer role & responsibility


Future Trends in Remote Support Technology

Customers Demanding Increased Availability

– Cost of Down Time Increasing

Devices Becoming More Intelligent– RFID– Self-Healing Architectures– Autonomic Computing

Millions of Devices Networked– 500 Million by 2010 (Harbor Research)

Wireless Invasion will Increase Remote Access capabilities

Regulatory Compliance and Network Expansion will Drive Security Awareness

– Perimeter Defense– End Point Defense


Key Takeaways

Remote support model can create a competitive advantage

Remote monitoring and management capabilities will drive new product features and services opportunities

Regulatory compliance will impact your remote support model

– You will become an extension of a regulated community– Trust but verify – Are your support processes auditable?

Security must be designed into products; It can’t be “bolted-on”

– Integrate security into product lifecycle

Security policies are as important as the technology


Reference Material

• ISO-17799 ISO 17799:2000 – Code of Practice for Information Security Management

• NIST-800-70 DRAFT NIST Special Publication 800-70, The NIST Security Configuration Checklists Program (http://csrc.nist.gov/publications/nistpubs/)

• COBIT Control Objectives for Information and related Technology (COBIT) Security Baseline - IT Governance Institute (http://www.isaca.org)

• RFC2828 IETF RFC 2828 Internet Security Glossary (May 2000)• SANS ( SysAdmin, Audit, Network, Security) Institute (http://www.sans.org

)• Common Criteria for IT Security Evaluation

(http://csrc.nist.gov/cc/index.html)• OWASP Open Web Application Security Project (OWASP) Top Ten

Security Vulnerabilities (http://www.owasp.org/documentation)

http://www.isaca.org/

http://www.sans.org/

http://www.owasp.org/documentation



QUESTIONS?

© 2004 EMC Corporation. All rights reserved. 111 Service Strategies Showcase - Boston Impact of Regulatory Compliance on Remote Support Tom Ellwood Sr.

Documents

emc support services

solutions emc

web support

services revenue

emc overview

remote support tom ellwood

customer services partners

services professionals