|
|
|
Features
< Back
Sarbanes Oxley : Technology : Policy Management
What is Compliance, Really?
How to best protect ALL corporate assets
By
Steve Kenniston
|
|
Steve Kenniston
Senior Strategist, Data Protection and Archiving Technologies
Connected Corporation
|
Over the last 18 months, IT professionals have behaved like schools of fish, following one technology trend after another. With regulatory compliance measures such as Sarbanes-Oxley on the horizon, the current technology bouncing ball is email archiving. To this point, a number of IT professionals have recently purchased tools to archive email under the guise of becoming "compliant" in order to satisfy not only Sarbanes-Oxley but also other regulations including Graham-leach Bliley, SEC 17a-4 and NASD 3010, 3011.
Much of this scramble to invest in an email archiving solution has been the result of pressure from the storage industry, as many vendors have filled the market with hype. However, this scramble has resulted in a potential problem because companies are purchasing tools to satisfy corporate point problems and risk missing the bigger picture.
What is the Bigger Picture?
Well, if you believe Nicholas Carr (author of ?Does IT Matter?? and ?IT Doesn?t Matter?), then you have to believe that the value inside of IT is the information. If this is true, then IT professionals need to look at more than one segment of their information as it pertains to an application. Corporate IT must take a step back and analyze how their company utilizes all information. Once they understand this, then IT can more effectively take advantage of technology to protect and archive information in order to keep safe against compliance-related issues. It is not enough to protect against information being passed solely via email ? the same information that is sitting in the file system is also subject to the same regulatory scrutiny, as the below paraphrases note:
? SOX section 802 states:
? ?As a result of the document destruction by various businesses and their accounting firms, most notably Enron and Arthur Andersen, Section 802 provides stiff penalties for ?whoever knowingly alters, destroys, mutilates? any record or document with intent to impede an investigation. Penalties include monetary fines and prison time.?
? SOX section 404 states:
? Section 404 requires auditors to certify the underlying ?controls and processes? that are used to compile the financial results of a company.
While tools such as email archiving technologies provide the important capabilities to index, search and audit messages, email is only half the picture, even though it is the world?s largest collaboration tool. Attachments are also subject to the same rules and regulations as email, despite the fact that they may reside in a file system rather than an email.
In order to properly protect the enterprise against any and all compliance rules and regulations, IT must take the following issues into consideration:
? How does this organization use information in the enterprise?
? How does this organization classify information?
? Where does information in this organization reside?
? How is information in this organization protected?
Once these questions are answered, a corporation not only is better poised to protect its intellectual property and save money through storage reduction, but also is on the way to becoming securely compliant.
Categorizing Information to Maximize Benefits
While it is known that good storage and information management practices help the enterprise on all fronts, it is not so clearly understood how an organization can properly categorize information in order to maximize the benefits that this information can provide. The first step in enacting an information management system is to break down any silos within the company and share how information within the company affects each group. Discussions as to how this information can be shared in order to maximize its value are important. It is also important to understand how information is ingested into the company; for example, is it created in the corporation, or is it emailed into the corporation? In addition, a company must understand which information is subject to corporate governance and compliance. Once these decisions are made, it will become much clearer as to what type of meta data information needs to be extracted from the given information in order to begin to set policies as they pertain to the information.
Setting up the proper policies is the most important component to protecting a business and becoming compliant. When served with a discovery request that needs to be fulfilled in a short period of time, companies could end up giving the courts too much information in an effort to be prudent to the discovery request. By doing this, the business is putting itself at even greater risk. Having proper policies that let a company know where its information resides and how to quickly extract that information gives the legal team more time to validate the information and build the appropriate defense.
The next task in categorizing and maximizing a corporation?s information would be to identify the best mechanism for capturing meta data from files. After this initial identification, corporations should then set the proper policies on the files in order to best manage the information. There are a number of ways to accomplish this. For example:
? A corporation may want to take advantage of some of the new file system technology that can look into files for meta data information and allow IT to create policies based on this meta data. The down side with the file system approach is that this technology is very storage focused. While this approach helps to achieve a good data lifecycle management strategy, it does not help to promote a good information lifecycle management strategy.
? Another option to consider when setting policies to best manage data could be to utilize a document management technology that allows users to put files into the system and assign the appropriate meta data for the file at that time. The administrators of the document management system set up the policies for files with certain meta data tags that allow that document to flow through its lifecycle efficiently. However, the downside to information lifecycle management is that it doesn?t necessarily meet all data lifecycle management requirements.
Data Versus Information
Believe it or not, there is a significant difference between ?data? and ?information.? Data are the 1?s and 0?s that make up information. Managing data really means managing storage growth.
On the other hand, managing information means ensuring that a corporation has the proper business assets that are up to date and available in order to be most competitive. Most of the time, these two management schemes should be in sync and complement one another; however, there could be times when the two management schemas could conflict. Therefore, it is important to ensure that the business reasons behind making the proper decisions as to how to manage the information and/or data maximize business value and protection.
An example of where the two could conflict starts with information lifecycle management. There may be document management policies in place stating that each time a document is edited, an additional copy gets created. Not only do these policies eat up storage, they also place a burden on how that information is protected, as well as archived. Ensuring a proper balance between information and data lifecycle management is a difficult challenge, but can ensure maximum value and protection for a business when executed properly.
Understanding what information lives where is also crucial. Knowing how many copies of a piece of information exists, where these copies are, and who has access to them all play a part in better information management, corporate governance, and compliance. When served with a legal discovery notice, the ability to find all copies of the information requested in a timely fashion is imperative. Knowing how a piece of information is distributed, as well as how it is protected, or backed up, will lead to the ability to find all copies quickly and easily.
Obviously, IT would like to have the best of both worlds when trying to solve these difficult corporate challenges. Looking at tools that allows a corporation to archive information and create single instances of information is utopia. Ultimately, when seeking to become compliant, companies must find tools that can solve the potential problems in all of these areas so that the business can operate fiscally smart and be properly protected.
Steve Kenniston
Senior Strategist, Data Protection and Archiving Technologies
Connected Corporation
Steve Kenniston serves as Senior Strategist, Data Protection and Archiving Technologies, for Connected Corporation, a subsidiary of Iron Mountain Incorporated (NYSE: IRM). He previously served several years as an analyst with Enterprise Strategy Group (ESG) focused on data protection within the storage industry.
|
|
|
|
|
