STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure

STORAGE MANAGEMENT/EXECUTIVE:

Managing a Compliant Infrastructure

Processes and Procedures

Mike CaseyPrincipal AnalystContoural Inc.

Agenda

Anticipate the impact of future compliance requirements

Get agreement on policies & processes

Leverage best practices & standards

Link compliance with ILM to minimize risks & costs

Anticipate the impact of future compliance requirements

Policy drivers: regulatory compliance, litigation readiness, stakeholder expectations

Anticipate changes and new requirements, by understanding these drivers

Strategy: Understand the common policy goals that drive regulatory activity – and the common technical capabilities that enable organizations to comply

Policy goals drive archiving goals

Operational needs• End-user productivity• Customer service levels • Corporate IP protection

Litigation readiness• Liabilities and risks • Discovery costs

Regulatory compliance• Laws• Regulations• Standards• Guidelines

Archiving goals

• Retention

• Security

• Efficiency

Foundations of compliance & ILMRecords management Archiving

Record definition• Identification • Classification• Index & search

Storagemanagement• Media • Migration • Cost

Retention • Retrieval• Disposition

Security • Integrity • Confidentiality• Accessibility

What to save How to save it

Archiving goals and capabilities

Admini-strative

Technical Physical

Admin. retention

Technicalretention

Admin. efficiency

Admin. security

Physicalretention

Technicalsecurity

Physicalsecurity

Technicalefficiency

Physicalefficiency

Security goals• Integrity• Confidentiality (privacy)• Availability (transparency)

Retention goals• Scope (completeness)• Duration

Efficiency goals• Service levels• Cost reduction

Example: Technical security capabilities

45 CFR 164 -- Subpart CSecurity Standards for the Protection of Electronic Protected Health Information

164.312 Technical safeguards•(a) Access control. Implement technical policies and procedures... to allow access only to those persons or software programs …

•(b) Audit controls. …•(d) Person or entity authentication..•(e) Transmission security. ... • (e)(2)(ii) Encryption …

HIPAA security rule

SecurityTechnical capabilitiesAuthenticationAccess controlsAudit logsBackup & recoveryMedia controlsData permanenceE-signaturesEncryptionExpungement

Get agreement on policies & processes

Assess Policy Architect Deploy Manage

Response to change Ongoing operation

1 2 3Compliance initiative: Process steps

Step one: Assessment

Regulatory compliance

Litigation readiness

Stakeholder expectations

1

Regulatory compliance

Data Protection Act (UK) and similar laws implementing EU Directives

GMP Directive (EU)

Basel II ISO 9000

Europe:

United States:

Global:

Securities Banking InsuranceHealth

insuranceHealthcare

Medicaldevices

Financial services Health services Life sciences

Drugs

Sarbanes-Oxley Act

Gramm-Leach-Bliley Act HIPAA 21 CFR 11, GxP

Litigation readinessDiscoveryrequested

by one party

Resultreview

Deliverresponse

To thecourt

Firstinternal

awareness

Discoveryrequest

Courtorder

issued

Issueinternal

retention hold

Search, Query

ArchiveDB

Userdirectory

Discovery depends oneffective archiving

Other8%

Not sure42%

Preserving all email and IM content for long periods is least

risky 29%

Deleting all email and IM content on a

regular basis is least risky21%

Not sure42%

Other8%

Preserving all e-mail and IM content for long periods is least risky: 29%

Enterprise views toward e-mail and IM archiving

Deleting all e-mail and IM content on a regular basis is least risky: 21%

Source: Osterman Research

Stakeholder expectationsOperational perspectives

Application perspectives

Legal perspectives

Technology perspectives

CEO CFO Records mgr Compliance

Officer

Storage admin

System admin

CIO

End user Application

admin

Legal counsel

Step two: Policy development

Save almost nothing

Selective deletion

Selective retention

Save nearly everything

IMPACTSPOLICY CHOICE

Example – Retention scope

2

Regulatory compliance

Litigationreadiness

Stakeholderexpectations

Step two: Policy development (2)

Example – Retention periods

Many, content-based

Few, organization-based

One for all

IMPACTSPOLICY CHOICE Regulatory compliance

Litigationreadiness

Stakeholderexpectations

Step three: Define architecture and processesProvide required and recommended capabilities

for retention and security

Use technology to enable cost-effective retention, storage and migration over lifecycle

Start with point solutions and information silos if needed, but move toward an integrated ILM architecture as technology evolves

3

Leverage best practices & standards

Example 1: HIPAA Security RuleExample 2: Sarbanes-Oxley ActExample 3: DoD 5015.2 Standard

Example 1: HIPAA

Example 2: Sarbanes-Oxley Act

IT Control Objectives for Sarbanes-Oxley IT Governance Institutewww.itgi.org and www.isaca.org

SEC refers to the COSO framework

Auditors endorse IT control frameworks

• COBIT

• ISO/IEC 17799

Example 3: DoD 5015.2-STD

Securitytechnical capabilitiesAuthenticationAccess controlsAudit logsBackup & recoveryMedia controlsData permanenceE-signaturesEncryptionExpungement

•C2.2.3.23. RMAs shall enforce data integrity …

•C2.2.5.2. The RMA shall prevent unauthorized access to the repository.

•C2.2.7.1. The RMA … shall use identification and authentication …

•C2.2.7.4. If the RMA provides a web user interface, it shall provide 128-bit encryption

•C2.2.6.6.3. RMAs shall delete electronic records … in a manner such that the records cannot be … reconstructed.

•C2.2.8.1. The RMA … shall provide an audit capability to log the actions, date, time, unique object identifier(s) and user…

Records Management Applications

Link compliance with ILM to minimize risks and costs

Compliance initiatives can minimize risk by establishing policies and processes for response to new regulations – and for anticipating future regulations and standards

Best policy response is commonly to retain more data, for longer retention periods

ILM processes and architecture can help reduce storage and management costs, making increased data retention feasible and affordable

TCO example for e-mail archivingHard IT costs• Storage hardware• Archiving software• Operations/IT staff• MaintenanceSoft costs• User productivity• Operational costsPotential costs• Litigation discovery• Increased liability• Regulatory discovery• Potential penalties

$9

$6

$80Potential

$53

$210

$102Total

$4

$0

$19Soft

$40Save nearly everything intelligently

$204Save nearly everything (primary disk)

$3Save nothing (delete at 30 days)

Hard

Average costs per e-mail user per year

POLICY CHOICE

ConclusionsUnderstand common compliance goals and technical

capabilities

Start with business needs assessment: compliance, litigation and stakeholder requirements

Use standards and best practices to guide policies, processes and architecture

Define ILM policies and strategies to enable cost-effective implementation

Questions?Ask the Expert

Resources• www.searchstorage.com• www.contoural.com• www.graycary.com• www.ostermanresearch.com

searchstorage.techtarget.com/ateQuestion/0,289624,sid5_tax295552,00.html