1 / 34

Paradox of Data Storage

Paradox of Data Storage. The Data You Store Can Be Used Against You In A Court of Law. By: Tim Kormos Product Manager LXI Corp. The Life Blood of Business. IT provides the infrastructure that enables business Hardware Network Software Procedures Controls. IT’s Job to Protect Data.

annot
Download Presentation

Paradox of Data Storage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Paradox of Data Storage The Data You Store Can Be Used Against You In A Court of Law By: Tim Kormos Product Manager LXI Corp.

  2. The Life Blood of Business • IT provides the infrastructure that enables business • Hardware • Network • Software • Procedures • Controls

  3. IT’s Job to Protect Data • Latest and Greatest Technologies • SAN, NAS • High Availability • Software and Hardware • Disaster Recovery Plans • Business Continuity Plans

  4. IT’s Responsibility • IT manages the infrastructure that supports business • Businesses depend on the accuracy and availability of their data • Data is one of a companies most important assets and should have appropriate policies and controls relative to it’s value

  5. Backup Strategy • Backups provide a point-in-time recovery of critical data • Backups are used to recovery data that has become lost or damaged • Backups make up the largest percentage of planned outages • Backups determine the success or failure of disaster recovery plans

  6. Record Retention Strategy • The practice of storing documents so that they can be quickly recovered while maintaining accuracy and integrity of the original document • Applies to electronic documents • Email, word docs, spread sheets, instant messages with customers,… • Should be kept for required time, then destroyed

  7. Record Retention Gone Bad • Fortune 500 company sued for wrongful termination • No record retention policy regarding email • Court ordered company to search all 20,000 backup tapes, estimated cost per tape $1,000

  8. The Paradox • Backups • The more backups available, the more confidence that recovery is assured • More is better • Record retention (Archiving) • Store data for only as long as it absolutely has to be kept, then destroy it • Less is better

  9. Conflicting Goals • Backup policies • Ensure all data is recovered in the event of an outage, regardless of the type of data • Limited number people have access to data • Record Retention policies • Ensure that data is kept available for restoration for only as long as required by regulation • Numerous people have access to data

  10. Arguments that Don’t Work • Crown Life Insurance Company • Backups don’t count • Wyeth Corp. • Cost to recover would be greater than the settlement • Prudential Insurance • Ordered to pay $1 million penalty for “haphazard” data retention policy • Sprint Communications • Inappropriate use of data retention policy to avoid pending legal actions

  11. Litigation • Reasons for increased use of storage data in litigation • Attorneys are more aware of it’s value • Courts recognize it’s importance • The sheer volume – all potential evidence

  12. Regulatory Intervention • Other ways your data storage is effected

  13. New Corporate Governance • Federal Regulations • Sarbanes-Oxley Act of 2002 • HIPAA – Health Insurance Portability and Accountability Act of 1996 • Gramm-Leach-Bliley Act • IRS Revenue Rulings and Procedures

  14. Sarbanes-Oxley Act of 2002 • Changes securities regulations, corporate governance, and auditor regulations • Response to Enron, WorldCom, … • Introduces accountability for fraudulent accounting practices

  15. HIPAA Health Insurance Portability and Accountability Act of 1996 • Limits the use and disclosure of individually identifiable health care information • Requires health care entities to establish administrative, physical and technical safeguards

  16. Gramm-Leach-Bliley Act • Requires financial institutions to take steps to ensure security and confidentiality of customer’s non-public, personal information • Privacy notice must be “clear and conspicuous” • Must provide opt-out process

  17. IRS Rev. Proc. 98-25 • Computer records must be • retained in retrievable format, • made available to the IRS when requested, along with documentation and audit trails that provide evidence of authenticity and integrity. • convert old formats to current, accessible by IRS representatives, sequential file version relational database systems and detailed transactions involved in EDI commerce.

  18. IRS Rev. Proc. 91-59 • Records must be • maintained and be available regardless of the existence of the original software or hardware, and no exceptions are made for deteriorated media.

  19. Federal Rules of Civil Procedures V. Dispositions and Discovery • Rule 26: Quick identification and reproduction of requested information • Rule 34: Sets the rules for requesting data under Rule 26 • Firmly establishes how electronic evidence is to be handled in lawsuits

  20. Sobering Consequence • Sarbanes-Oxley Act • Holds CEO and CFO personally liable for the accuracy of SEC filings, punishable by fines up to $1 Million and 10 years imprisonment • IRS • Individuals willfully failing to supply information may be fined up to $25,000 • Companies can be fined in excess of $100,000 for failure to comply • Courts hand down million dollar penalties for “haphazard” data retention policies

  21. The Challenge • How can administrators ensure that both backup and record retention polices, procedures and controls are: • implemented • make sense • work

  22. Key Ingredients • Information Security • Information Administration • Media Management • Data Integrity

  23. Information Security • Establish procedures and controls that protect • Confidentiality – who can see the data • Integrity – how data is changed • Availability – how data is accessed

  24. Information Management • Ensure all stored electronic records are • True – created from valid processes • Complete – all data is captured • Authentic – unchanged • Accessible – easily retrieved

  25. Media Management • Implement protections that reasonably protect against • Loss – disaster, overwritten tapes • Alteration – deleting or change any part of a record or document • Destruction – intentional or accidental

  26. Data Integrity • Setup processes, procedures and technologies that will ensure • Easy identification (Indexing) • Quick location • Simplified recall • Accurate restore • For individual files and entire systems

  27. Addressing the Paradox • Identify a Compliance officer • Conduct internal assessment • Perform Gap analysis • Establish corporate policies relative to internal and external requirements • Build processes with controls • Implement technologies that enable the policies • Educate everyone

  28. Word about Controls • Employees execute controls • Management design controls • Auditors examine controls • Regulators legislate controls

  29. Controls • Logical point in a process or work flow that documents the success or failure of the preceding steps • Examples • Invoice • Shipping manifest • Order pick list • Change request

  30. Reports completed and failed backups • Compares list to actual results Packing List • Signed document at pick up Control Point Tapes putinto container Control Point Container picked up Control Point Control Example Backupoccurs

  31. Record Retention vs. Backup • Data stored for regulatory compliance should be stored separately from general backups • Backups should not be used for regulatory compliance • Reduce the time backups are kept

  32. Benefits of Compliance • Justification for new technologies • Centralization • Simplification • Standardization • Vision of technology that • Improves the bottom line • Reduces risk • Eliminates waste

  33. Resources • Industry trade organizations • Storage Network Industry Association www.snia.org • www.soxtoolkit.com • www.cio.com/newrules • www.hipaadvisory.com • www.irch.com • www.findlaw.com

  34. Questions Contact information Tkormos@lxicorp.com 214.260.9005

More Related