|
|
|
Features
< Back
Sarbanes Oxley : Technology : Storage
A Regulatory Compliance Renaissance
By
Sam Sigarto
|
|
Sam Sigarto
COO
Arsenal Digital Solutions
|
We all know what Sarbanes-Oxley is. We know the challenges it creates, the risks it carries and the penalties it imposes. But do you also know what a tremendous opportunity it holds? For many businesses, it holds the key to a rebirth of your data protection strategies that will forever change the way your business stores, accesses and retains its information.
Originally established to strengthen our practices and policies for protecting, retaining, securing, accessing and destroying financial records, Sarbox has forced us to rethink some very fundamental tenets of our data protection strategies. In turn, Sarbox needs to be viewed as more than just policies, procedures and penalties. It?s true that this regulation is creating unprecedented demand on organizations to store more records for longer periods of time. It?s also true that it is forcing businesses to increase both the accessibility and security of company information with documented processes to ensure the integrity, accessibility and retrieval of this information. However, with this growing complexity and regulation comes an equally unprecedented opportunity for CIOs to re-evaluate their current storage management solutions, practices and processes. As the old saying goes, ?Do not fear the winds of adversity. Remember: a kite rises against the wind rather than with it.? In other words, regulations for data security, accessibility and protection offer a unique opportunity to turn these regulatory requirements into a new era of data protection.
In fact, with the potential risk and individual exposure of non-compliance, IT organizations are finding tremendous financial support from their organizations to use the Sarbox deadline as a springboard for implementing new storage solutions and strategies previously unattainable or unaffordable. This is why Enterprise Storage Group released a report on regulatory compliance revealing that expenditures for compliance-related storage products and services could reach $6 billion over the next four years.
One of the leading data protection strategies emerging from this data protection renaissance is remote data protection and the use of off-site facilities to perform real-time backups of increasingly dispersed data. By leveraging the speed of today?s networks with the security and accessibility levels of Tier-1 storage facilities, remote data protection helps businesses manage their data to the strict requirements of the Sarbox regulation ? practically automatically.
The Catalyst For Change
The goal of Sarbox was to restore investor confidence in the wake of corporate scandals that shook the investment markets to their core during the first few years of this century. However, its impact has grown into a marching order for teams of resources, once dedicated to critical customer-facing projects, to find ways of retrofitting these polices and procedures into an existing storage and backup environment. For many financial companies, Sarbox has become a benchmark for how to store, protect, secure, access and destroy all company data ? not just the financial records it was intended to address.
Of the many challenges Sarbox creates, central to these are those rules being enforced by the Securities and Exchange Commission (SEC) for implementing internal controls to ensure the accuracy and transparency of corporate financial data. The SEC rules require public company annual reports to contain an internal control report that:
• States management?s responsibility for establishing and maintaining adequate internal control over financial reporting for the company
• Identifies the framework used by management to evaluate the effectiveness of the internal control
• Assesses the effectiveness of the internal control as of the end of the company?s fiscal year
• States that its auditor issued an attestation report on the management?s assessment
The risks for failing to meet these compliance requirements include the infamous Section 404 of Sarbox, which holds CEOs and CFOs accountable for internal controls that support corporate decision making, financial reporting and fraud prevention. Once enacted, company executives will be required to personally attest to the accuracy of their organization?s financial statements and the controls implemented to ensure this accuracy. Auditors must certify the internal controls have been implemented to protect the firm?s financial statements. In turn, Sarbox requirements place an unprecedented level of personal responsibility and accountability on a company?s executive team. Individual penalties for non-compliance include fines of up to $5 million and imprisonment of up to 20 years.
Out With the Old, In With the New
Experts and analysts agree that these reporting requirements and controls apply to any and all processes, procedures, applications, systems and data involved in calculating and reporting on an organization?s financial information. In other words, a company needs to have a documented set of internal rules that control how data is generated, manipulated, recorded and reported.
Because financial transactions and information are heavily dependent on technology, your storage infrastructure is an integral part of your Sarbox compliance strategy. In turn, your IT processes and systems should be designed, implemented and audited to ensure the same levels of compliance, reliability, security, and documentation.
For many organizations, this will require them to rethink how they currently store, secure, provide access to, and manage company information. These organizations will need to develop new policies and procedures to prevent inadvertent or willful deletion, alteration or destruction of any information relevant to corporate financial reporting. And in many cases, these policies and procedures will also govern non-financial data as well. In the event of a judicial process, companies and their executives will bear the burden of proof to demonstrate that their records or documents were not intentionally altered or destroyed by documenting the proof of security, authenticity, and audit trails of access. As a precaution, companies should plan to retain any and all documents relevant to an audit or review (including supporting documents that contain conclusions, opinions, analyses, or financial data) for a period of seven years following the conclusion of the audit.
Creating Your Own Canvas
For those with the vision to see the future, Sarbox can be seen as a much needed infusion of structure and sense of urgency. By forcing IT organizations to evaluate and implement storage solutions that provide the flexibility and control needed, without dramatically increasing the cost of maintaining their data, they are being forced to establish new and higher levels of service to their organization.
For example, different types of company and financial information will have different storage and retrieval requirements. Each information type will need to be stored, secured, and made accessible for varying retention periods. In addition, certain types of data will also need accessibility procedures and controls to ensure its authenticity and maintain an audit trail of any revisions. Then, at the end of the Sarbox-mandated retention periods, this information must be quickly and completely destroyed. For each of these different types of data with different lifecycles, it is likely that varying types of information will be handled and controlled by different solutions with varying degrees of security, retention and accessibility. Add to this the complexity of geographically dispersed information, an increasingly mobile workforce and constantly changing data, and the issue of data centralization takes on a life of its own. As a result, multiple storage solutions will need to seamlessly co-exist within an organization to manage the various types of data ? Sarbox regulated or not. It is unlikely that any one storage solution can cost effectively provide this degree of security, control, accessibility and retention duration for all data types.
This, in turn, creates an opportunity for more modular, more efficient storage infrastructures that put the right information into the right employee hands when needed, with the confidence that the information they are using is accurate, protected, reliable and traceable. This can translate into improved business processes and better business relationships with customers, partners and suppliers. In fact, a recent study in InformationWeek found that more than one third of respondents said that compliance is bringing about positive changes in their organization. In addition, in an article in Optimize Magazine by John Parkinson and Stewart Bloom entitled ?Surviving Sarbanes-Oxley?, the two stated that it isn?t until we implement the procedures and practices of compliance that true business value comes to light in the form of strengthened finance, accounting and performance management.
In organizations today of every size, CIOs, compliance officers and IT managers are evaluating new data protection solutions and the associated processes and controls to meet compliance requirements. But many are reluctant or don?t have the time to migrate to complex or monolithic new storage architectures to manage this compliance. Many of these businesses instead are looking for solutions that not only fulfill their compliance requirements, but that can deliver added value such as reducing downtime, eliminating data loss, reducing storage costs, taking human error out of the process, and enhanced operational efficiencies ? all at price point that results in a demonstrable Return on Investment.
The Rebirth of a Storage Solution
Storing and protecting data in the Sarbox era is much different than in years past. Today?s regulatory-friendly storage solutions must address the data resilience, security, privacy, and accessibility requirements of the different types of data across your dispersed business locations. These solutions also need to guarantee service levels in order to provide businesses with the confidence, control and protection they need to ensure Sarbox storage compliance, while dramatically improving the quality of the service they provide to their customers.
Remote data protection can help businesses quickly and cost-effectively move data off-site for backup reliability, offer multiple levels of data security, and deliver rapid on-demand restores ? all without investing in new storage equipment or resources. Most importantly, because of the fast start-up times and minimal resource requirements to set up remote data protection for regulatory compliance, your key resources can stay focused on critical revenue-generating and customer-facing projects.
Here are some of the ways remote data protection ensures Sarbox compliance:
Reliability
Under Sarbox rules, some data must remain available for seven years from the conclusion of an audit or review. In turn, different types of data created across your organization may range in reliability requirements from 95% to 99.9%+. Based on the degree of risk and exposure for each data type, companies need to identify and categorize data based on this type and provide the appropriate level of protection, recognizing that the greater the reliability rating for a particular data type, the greater the cost to protect and manage that data. Remote data protection utilizes disk-to-disk backup and retrieval so you don?t have to hope backup tapes work years down the road. Data is then preserved on tamperproof media, ensuring the highest level of document authenticity, integrity and security. This provides long-term data retention to protect data and ensure its ready retrieval throughout its lifecycle. In addition, an automated backup and recovery process eliminates manual handling of removable media by personnel ensuring privacy compliance.
Security
With the increased visibility of the damage of viruses, hackers and internal company sabotage, it is easy to feel uneasy about threats to security and privacy. From desktop to server to backup to archival, Remote data protection protects data with a secure chain of custody. Whether it is being transferred across network connections, emailed to a colleague, stored on local or server disk drives, or in transit to storage facilities, data has many points at which it can be intercepted, lost or mishandled. With remote data protection, your data is stored at a highly secure, off-site location, ensuring that critical records and communications remain encrypted and protected until needed. The system even provides multiple levels of security for all system, network, and data layers.
Centralization
With an increasingly mobile and geographically dispersed workforce, it is estimated that 60% of company data is created and stored outside of the data center. This data needs to be treated with the same diligence that centrally created data is stored and protected. Hence it is imperative to implement storage solutions that can centralize this data to ensure it is properly categorized and protected according the company?s verifiable policies and procedures. For instance, critical evidentiary data needs to be archived and stored in various formats, then made available for online retrieval in the event of a regulatory audit, investigation or litigation. The encrypted transport and storage of your data to Disaster Recovery Centers ensures information is protected at a secure facility away from primary server facility, and made accessible only to those authorized to access it.
Scalability
As the amount of data under regulatory scrutiny continues to increase, today?s storage systems need to scale ? seemingly on-demand ? without creating undue operational complexity or undermining reliability and performance. This is true for both centrally managed data and data created and stored at remote offices and locations. Furthermore, infinitely scalable storage infrastructure is designed to keep up with this capacity growth using data life-cycle solutions that meet even the longest term data retention needs, while minimizing the amount of data storage required.
Accessibility
In today?s global service-based economy, 24x7 access to data is the expectation. With Sarbox, this has been made virtually a requirement. In addition, for some data under Sarbox rules, multiple years of backed up data need to be as readily accessible as data backed up yesterday. Providing this level of recall reliability is of critical concern. As data moves through its lifecycle, it is susceptible to multiple revisions, can be stored in multiple locations and can look like many other documents, putting added pressure on the storage system to have the intelligence to track version control, store copies of files residing in multiple locations, and providing levels of security to access and change stored information. Remote data protection provides a secure, web-based repository available for anytime, anywhere access by authorized personnel. The multi-level authorization ensures confidential restoration and search of electronic records.
Service Quality
Every company has data protection needs, but no two company?s needs are alike. Tolerance levels in Recovery Point Objectives, Recovery Time Objectives, restore times and frequency of backups can vary significantly. Nonetheless, what is consistent across companies of every size and industry is the ability to provide the best service quality to their organization at the lowest possible cost. In turn, service quality directly impacts the ROI of the data protection solution. Hence, tuning the service quality to optimize the solution for your business will ultimately determine its effectiveness not only in ensuring Sarbox compliance, but in proving value-added benefits such as reducing downtime and reducing costs while improving backup frequency, reliability and restore times. With remote data protection, service levels are often guaranteed, so your service is financially backed to protect you from loss and downtime disasters.
Embrace the Future of Storage Compliance and Data Protection
Sarbox is changing the future of data protection. The question is, how will your business respond to this change? Will it simply view Sarbox as a set of guidelines and rules to be enacted and complied with? Or will you see this as the catalyst for change; an opportunity to revolutionize the way you store, protect and recover data? With remote data protection, the power to embrace chance is easier and closer than ever before.
|
|
|
|
