View
221
Download
1
Category
Tags:
Preview:
Citation preview
STORAGE MANAGEMENT/EXECUTIVE:
Managing a Compliant Infrastructure
Processes and Procedures
Mike CaseyPrincipal AnalystContoural Inc.
Agenda
Anticipate the impact of future compliance
requirements
Get agreement on policies & processes
Leverage best practices & standards
Link compliance with ILM to minimize risks & costs
Anticipate the impact of future compliance requirements
Policy drivers: regulatory compliance, litigation readiness, stakeholder expectations
Anticipate changes and new requirements, by understanding these drivers
Strategy: Understand the common policy goals that drive regulatory activity – and the common technical capabilities that enable organizations to comply
Policy goals drive archiving goals
Operational needs• End-user productivity• Customer service levels • Corporate IP protection
Litigation readiness• Liabilities and risks • Discovery costs
Regulatory compliance• Laws• Regulations• Standards• Guidelines
Archiving goals
• Retention
• Security
• Efficiency
Foundations of compliance & ILMRecords management Archiving
Record definition• Identification • Classification• Index & search
Storagemanagement• Media • Migration • Cost
Retention • Retrieval• Disposition
Security • Integrity • Confidentiality• Accessibility
What to save How to save it
Archiving goals and capabilities
Admini-
strative
Technical Physical
Admin. retention
Technicalretention
Admin. efficiency
Admin. security
Physicalretention
Technicalsecurity
Physicalsecurity
Technicalefficiency
Physicalefficiency
Security goals• Integrity• Confidentiality (privacy)• Availability (transparency)
Retention goals• Scope (completeness)• Duration
Efficiency goals• Service levels• Cost reduction
Example: Technical security capabilities
45 CFR 164 -- Subpart CSecurity Standards for the Protection of Electronic Protected Health Information
164.312 Technical safeguards•(a) Access control. Implement technical policies and procedures... to allow access only to those persons or software programs …
•(b) Audit controls. …•(d) Person or entity authentication..•(e) Transmission security. ... • (e)(2)(ii) Encryption …
HIPAA security rule
SecurityTechnical capabilitiesAuthenticationAccess controlsAudit logsBackup & recoveryMedia controlsData permanenceE-signaturesEncryptionExpungement
Get agreement on policies & processes
Assess Policy Architect Deploy Manage
Response to change Ongoing operation
1 2 3
Compliance initiative: Process steps
Step one: Assessment
Regulatory compliance
Litigation readiness
Stakeholder expectations
1
Regulatory compliance
Data Protection Act (UK) and similar laws implementing EU Directives
GMP Directive (EU)
Basel II ISO 9000
Europe:
United States:
Global:
Securities Banking InsuranceHealth
insuranceHealthcare
Medicaldevices
Financial services Health services Life sciences
Drugs
Sarbanes-Oxley Act
Gramm-Leach-Bliley Act HIPAA 21 CFR 11, GxP
Litigation readinessDiscoveryrequested
by one party
Resultreview
Deliverresponse
To thecourt
Firstinternal
awareness
Discoveryrequest
Courtorder
issued
Issueinternal
retention hold
Search, Query
ArchiveDB
Userdirectory
Discovery depends oneffective archiving
Other8%
Not sure42%
Preserving all email and IM content for long periods is least
risky 29%
Deleting all email and IM content on a
regular basis is least risky21%
Not sure
42%
Other
8%
Preserving all e-mail and IM
content for long periods is least
risky: 29%
Enterprise views toward e-mail and IM archiving
Deleting all e-mail and IM content on a regular basis is least risky: 21%
Source: Osterman Research
Stakeholder expectations
Operational perspectives
Application perspectives
Legal perspectives
Technology perspectives
CEO CFO Records mgr Compliance
Officer
Storage admin
System admin
CIO
End user Application
admin
Legal counsel
Step two: Policy development
Save almost nothing
Selective deletion
Selective retention
Save nearly everything
IMPACTSPOLICY CHOICE
Example – Retention scope
2
Regulatory compliance
Litigationreadiness
Stakeholderexpectations
Step two: Policy development (2)
Example – Retention periods
Many, content-based
Few, organization-based
One for all
IMPACTSPOLICY CHOICE
Regulatory compliance
Litigationreadiness
Stakeholderexpectations
Step three: Define architecture and processes
Provide required and recommended capabilities
for retention and security
Use technology to enable cost-effective
retention, storage and migration over lifecycle
Start with point solutions and information silos if
needed, but move toward an integrated ILM
architecture as technology evolves
3
Leverage best practices & standards
Example 1: HIPAA Security Rule
Example 2: Sarbanes-Oxley Act
Example 3: DoD 5015.2 Standard
Example 1: HIPAA
Example 2: Sarbanes-Oxley Act
IT Control Objectives for Sarbanes-Oxley IT Governance Institutewww.itgi.org and www.isaca.org
SEC refers to the
COSO framework
Auditors endorse
IT control frameworks
• COBIT
• ISO/IEC 17799
Example 3: DoD 5015.2-STD
Securitytechnical capabilitiesAuthenticationAccess controlsAudit logsBackup & recoveryMedia controlsData permanenceE-signaturesEncryptionExpungement
•C2.2.3.23. RMAs shall enforce data integrity …
•C2.2.5.2. The RMA shall prevent unauthorized access to the repository.
•C2.2.7.1. The RMA … shall use identification and authentication …
•C2.2.7.4. If the RMA provides a web user interface, it shall provide 128-bit encryption
•C2.2.6.6.3. RMAs shall delete electronic records … in a manner such that the records cannot be … reconstructed.
•C2.2.8.1. The RMA … shall provide an audit capability to log the actions, date, time, unique object identifier(s) and user…
Records Management Applications
Link compliance with ILM to minimize risks and costs
Compliance initiatives can minimize risk by establishing
policies and processes for response to new regulations –
and for anticipating future regulations and standards
Best policy response is commonly to retain more data, for
longer retention periods
ILM processes and architecture can help reduce storage
and management costs, making increased data retention
feasible and affordable
TCO example for e-mail archiving
Hard IT costs• Storage hardware• Archiving software• Operations/IT staff• MaintenanceSoft costs• User productivity• Operational costsPotential costs• Litigation discovery• Increased liability• Regulatory discovery• Potential penalties
$9
$6
$80Potential
$53
$210
$102Total
$4
$0
$19Soft
$40Save nearly
everything
intelligently
$204Save nearly
everything (primary
disk)
$3Save nothing
(delete at 30 days)
Hard
Average costs per e-mail user per year
POLICY CHOICE
Conclusions
Understand common compliance goals and technical
capabilities
Start with business needs assessment: compliance,
litigation and stakeholder requirements
Use standards and best practices to guide policies,
processes and architecture
Define ILM policies and strategies to enable cost-effective
implementation
Questions?
Ask the Expert
Resources
• www.searchstorage.com
• www.contoural.com
• www.graycary.com
• www.ostermanresearch.com
searchstorage.techtarget.com/
ateQuestion/0,289624,sid5_tax295552,00.html
Recommended