1 / 24

STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure

STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure. Processes and Procedures. Mike Casey Principal Analyst Contoural Inc. Agenda. Anticipate the impact of future compliance requirements Get agreement on policies & processes Leverage best practices & standards

miach
Download Presentation

STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. STORAGE MANAGEMENT/EXECUTIVE:Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc.

  2. Agenda • Anticipate the impact of future compliance requirements • Get agreement on policies & processes • Leverage best practices & standards • Link compliance with ILM to minimize risks & costs

  3. Anticipate the impact of future compliance requirements • Policy drivers: regulatory compliance, litigation readiness, stakeholder expectations • Anticipate changes and new requirements, by understanding these drivers • Strategy: Understand the common policy goals that drive regulatory activity – and the common technical capabilities that enable organizations to comply

  4. Policy goals drive archiving goals • Litigation readiness • Liabilities and risks • Discovery costs Archivinggoals • Regulatory compliance • Laws • Regulations • Standards • Guidelines • Retention • Security • Efficiency • Operational needs • End-user productivity • Customer service levels • Corporate IPprotection

  5. Foundations of compliance & ILM Archiving Records management • Retention • Retrieval • Disposition • Storagemanagement • Media • Migration • Cost • Recorddefinition • Identification • Classification • Index & search • Security • Integrity • Confidentiality • Accessibility What to save How to save it

  6. Archiving goals and capabilities • Retention goals • Scope (completeness) • Duration Admin. retention Technical retention Physical retention • Security goals • Integrity • Confidentiality (privacy) • Availability (transparency) Technical security Physical security Admin. security Technical efficiency • Efficiency goals • Service levels • Cost reduction Physical efficiency Admin. efficiency

  7. Example: Technical security capabilities HIPAA security rule • 45 CFR 164 -- Subpart C • Security Standards for the Protection ofElectronic Protected Health Information • 164.312 Technical safeguards • (a) Access control. Implement technical policies and procedures... to allow access only to those persons or software programs … • (b) Audit controls. … • (d) Person or entity authentication.. • (e) Transmission security. ... • (e)(2)(ii) Encryption …

  8. Get agreement on policies & processes Compliance initiative: Process steps 1 2 3 Assess Policy Architect Deploy Manage Response to change Ongoing operation

  9. Step one: Assessment 1 • Regulatory compliance • Litigation readiness • Stakeholder expectations

  10. Sarbanes-Oxley Act HIPAA 21 CFR 11, GxP Gramm-Leach-Bliley Act Regulatory compliance Financial services Health services Life sciences Health insurance Health care Drugs Medical devices Insurance Securities Banking United States: Europe: Data Protection Act (UK) and similar laws implementing EU Directives GMP Directive (EU) Basel II Global: ISO 9000

  11. Issue internal retention hold Litigation readiness Court order issued Discovery requested by one party First internal awareness Search, Query Deliver response To the court Result review Discovery request Archive DB User directory Discovery depends on effective archiving

  12. Enterprise views toward e-mail and IM archiving Preserving all e-mail and IM content for long periods is least risky: 29% Not sure42% Deleting all e-mail and IM content on a regular basis is least risky: 21% Other8% Source: Osterman Research

  13. Stakeholder expectations Application perspectives Operational perspectives • CEO • CFO • Records mgr • Compliance Officer • End user • Application admin • Storage admin • System admin • CIO • Legal counsel Legal perspectives Technology perspectives

  14. Example – Retention scope Step two: Policy development 2 POLICY CHOICE IMPACTS Regulatory compliance Litigationreadiness Stakeholderexpectations Save almost nothing Selective deletion Selective retention Save nearly everything

  15. Step two: Policy development (2) Example – Retention periods POLICY CHOICE IMPACTS Regulatory compliance Litigationreadiness Stakeholderexpectations Many, content-based Few, organization-based One for all

  16. Step three: Define architecture and processes 3 • Provide required and recommended capabilities for retention and security • Use technology to enable cost-effective retention, storage and migration over lifecycle • Start with point solutions and information silos if needed, but move toward an integrated ILM architecture as technology evolves

  17. Leverage best practices & standards • Example 1: HIPAA Security Rule • Example 2: Sarbanes-Oxley Act • Example 3: DoD 5015.2 Standard

  18. Example 1: HIPAA

  19. Example 2: Sarbanes-Oxley Act • SEC refers to the COSO framework • Auditors endorse IT control frameworks • COBIT • ISO/IEC 17799 IT Control Objectives for Sarbanes-Oxley IT Governance Institute www.itgi.org and www.isaca.org

  20. Example 3: DoD 5015.2-STD Records Management Applications • C2.2.3.23. RMAs shall enforce data integrity … • C2.2.5.2. The RMA shall prevent unauthorizedaccess to the repository. • C2.2.7.1. The RMA … shall use identification and authentication … • C2.2.7.4. If the RMA provides a web user interface, it shall provide 128-bit encryption • C2.2.6.6.3. RMAs shall delete electronic records … in a manner such that the records cannot be … reconstructed. • C2.2.8.1. The RMA … shall provide an auditcapability to log the actions, date, time, unique object identifier(s) and user…

  21. Link compliance with ILM to minimize risks and costs • Compliance initiatives can minimize risk by establishing policies and processes for response to new regulations – and for anticipating future regulations and standards • Best policy response is commonly to retain more data, for longer retention periods • ILM processes and architecture can help reduce storage and management costs, making increased data retention feasible and affordable

  22. TCO example for e-mail archiving Average costs per e-mail user per year Hard Soft Potential Total POLICY CHOICE Save nothing (delete at 30 days) $3 $19 $80 $102 Hard IT costs • Storage hardware • Archiving software • Operations/IT staff • Maintenance Soft costs • User productivity • Operational costs Potential costs • Litigation discovery • Increased liability • Regulatory discovery • Potential penalties Save nearly everything (primary disk) $204 $0 $6 $210 Save nearly everything intelligently $40 $4 $9 $53

  23. Conclusions • Understand common compliance goals and technical capabilities • Start with business needs assessment: compliance, litigation and stakeholder requirements • Use standards and best practices to guide policies, processes and architecture • Define ILM policies and strategies to enable cost-effective implementation

  24. Questions? • Ask the Expert • Resources • www.searchstorage.com • www.contoural.com • www.graycary.com • www.ostermanresearch.com searchstorage.techtarget.com/ateQuestion/0,289624,sid5_tax295552,00.html

More Related