Upload
dothu
View
237
Download
1
Embed Size (px)
Citation preview
For ISACA Presentation
Digital Data Archiving“Nice to Have or Need to Have?”
2
Introduction: AXS-One
- Established over 28 years ago- AMEX listed for over 10 years
- Prestigious established customer base within Financial Services, Pharmaceutical, Manufacturing, Transportation, Logistics and other industries for over 10+ years
3
A glossary of terms …
What is digital data?dig‧i‧tize �dɪdʒ ɪ�taɪz/ Pronunciation Key - Show Spelled
Pronunciation[dij-i-tahyz] Pronunciation Key - Show IPA Pronunciation verb (used with object), -tized, -tiz‧ing. Computers.
1. to convert (data) to digital form for use in a computer. 2. to convert (analogous physical measurements) to digital form.
What is archiving?ar‧chive Show Spelled Pronunciation[ahr-kahyv] Pronunciation Key -
Show IPA Pronunciation noun, verb, -chived, -chiv‧ing.
1. Usually, archives. documents or records relating to the activities, business dealings, etc., of a person, family, corporation, association, community, or nation.
2. archives, a place where public records or other historical documents are kept.
3. any extensive record or collection of data: The encyclopedia is an archive of world history. The experience was sealed in the archive of her memory. –verb (used with object)
4. to place or store in an archive: to vote on archiving the city's historic documents.
4
A glossary of terms …
Source: Merriam-Webster Online Dictionary
“Governance is about leadership, financial and operational management standards adhering to international best practices. The need for compliance with external regulatory requirements and heightened awareness over information security has meant a requirement to plan policies on how to use IT effectively across the whole organization. Creation of specific governance committees and ROI evaluation to identify which solutions will deliver value are key steps”
Source: Computerworld, 25 March 2005
Adoption of best practices will result in compliance and good governance!
5
If you have any of these solutions implemented …..
The core systems required to run your business, usually stored in a RDBMS
DOCUMENT MANAGEMENT SYSTEM: Designed to enable the tracking of documents as they go through various iterations and are handled by different people
Designed to enable the consolidation of structured data from various disparate systems for reporting and analytics across the organization
6
Access time− Increasing
Search Time− Increasing
Memory Problems (RDBMS)− Increasing
Backup Times− Increasing
Maintenance Windows− Decreasing
Database Handling− More Complex
Document Handling− Outward Image Storage (PO‘s)− Inward Image Storage (Supplier Invoices)
You will also be experiencing these problems ….
7
The ongoing challenges for IT are …..
Leveragingtechnology investments to date
Managing storage and associated infrastructure costs
… while ensuring operational efficiencies …
8
Identifying, tracking, retaining and accessing information … a compliance issue
… considering governance and compliance …
9
Corporate officers, legal counsel, CFO’s, CEOs, CIO’s and middle managers will be held accountable for records management failures –by investors, shareholders, statutory and regulatory bodies.
understanding that …..
This compliance risk goes to the heart of an organisation’s policy, statutory, legal and regulatory obligations, the effectiveness of its internal policies, procedures and controls, using technology as an enabler.
10
Is backIs back--up good enough?up good enough?
Architecture
Router
Firewall
Mail Gateway
Firewall
Email and/or File Server
InternetSCM
Data
CRM
Siebel
Other Apps
TransactionData
Financials
Data &Documents
DMS
Filenet/Documentum
Storage Devices:
Disk/Tape/Jukebox/SAN/NAS
11
Not anymore …
Access Time− Can be managed by taking older
data offlineSearch Time
− Can be managed by taking older data offline
Memory Problems (RDBMS)− Can be managed by taking older
data offlineBackup Times
− Can be managed by taking older data offline
Maintenance Windows− Can be managed by taking older
data offlineDatabase Handling
− Can be managed by taking older data offline
Document Handling− Can be managed by taking older
documents and images offline
Access Time− Increased complexity in
retrieving current and historical data
− Increased costs in retrieval of historic information from tape
Search Time− Increased complexity in
searching across current and historical data
Maintenance Windows− Who manages the retention
and destruction of the data in accordance with internal policy and external statutory, legal and regulatory requirements?
Document Handling− Who manages the retention
and destruction of the data in accordance with internal policy and external statutory, legal and regulatory requirements?
While some problems may be solved with backups …. Other have been created …
12
Why are these issues critical?
Data Retention/Management/Destruction
65% of companies lack e-mail retention policies and procedures
94% of companies fail to retain & archive instant messages (Source: Osterman Research)
33% of senior executives and subject matter experts interviewed said their company had no policy in place around digital data and 20% did not know.
(Source: “Rules about to change in e-discovery game, Nov 2006)
Data Retrieval71% of organizations have been required to search through back-up tapes to retrieve one or more electronic records in response to a request from legal, HR, …39% of organizations have been ordered by a court or regulatory body to produce employee e-mail
(Source: Osterman Research)
13
Why are these issues critical?
Data Retrieval (cont’d)36.4 % of senior executives and subject matter experts interviewed said their companies had no technologies or policies in place tomanage a legal discovery order involving electronic records Companies with annual revenues greater than US$1 billion dollarsare sometimes juggling as many as 147 lawsuits simultaneously
Companies with annual revenues less than US$1 billion dollars are sometimes juggling up to 37 lawsuits simultaneously
One third of firms surveyed spend 2% of gross revenues on litigation expenses, while 10% spend over 5% of gross revenues.
(Source: “Rules about to change in e-discovery game, Nov 2006)
Data Supervision50% of workplace IM users send/receive risky content including attachments, jokes, gossip, confidential info, porn, etc.
(Source: Osterman Research)
14
Why are these issues critical?
HK Companies Ordinance of 1984: “every company must keep proper books of account … preserved for seven years from the end of the financial year to which the last entry made or matter recorded in them relates.”
Inland Revenue Ordinance of 1977: ”must retain such records for a period of not less than seven years after the completion of the transaction
Personal Data (Privacy) Ordinance of 1995: “A data user has a duty to comply with a valid data access request not later than 40 days after receiving that request. Difficulty in searching through records (whether electronic or otherwise) is not regarded as a good excuse for failing to meet the timetable.”
Retention, Management, Retrieval and Disposition……. In HK
15
Why are these issues critical?
Basic Law, the rules of court procedure in Hong Kong of 1990: if the parties and their legal advisers do not adopt a'sensible and responsible approach in dealing with discovery', they face cost penalties meted out by the Court”
The Electronic Transactions Ordinance of 2004: "Without prejudice to any rules of evidence, an electronic record shall not be denied admissibility in evidence in any legal proceedingon the sole ground that it is an electronic record"
HKMA Supervisory Policy Manual: “ensure that all media are adequately protected, and establish secure processes for disposal and destruction of sensitive information in both paper and electronic media”
Retrieval, Search and Destruction ……. In HK
16
Why are these issues critical?
Japan: A version of Sarbanes-Oxley is due to be released in Japan before the end of 2006Australia: Attorney-General, Rob Hulls said Victoria will be the first State to create a specific document destruction offence whereby a corporation and its employees can be prosecuted in circumstances where there was no direct instruction to destroy adocument but it was implied by the corporation’s culture. “In addition to a jail term, individuals can be fined up to $62,886 and corporations can be hit with a $314,430 fine.”US: On December 1, 2006, several amendments to the Federal Rules of Civil Procedure regarding a company’s duty to preserve and produce electronically stored information, in the face of litigation - or pending litigation, is scheduled to take effect.
Why are these issues critical? In HK …
Retention, Management, Retrieval and Disposition … elsewhere
17
Why are these issues critical ?
Source: Wall Street Journal Asia, 13 Feb 2006
Operational Risk Mitigation …
18
So what does all of this mean?
Let’s get back to the basics of the business process from a non-digital perspective, and ask yourself the following questions:1. Who is the owner of the business process?2. Who is the owner of the data being stored?3. How often will the “data owner” or other interested parties
need access to this data?4. How long does this data need to be kept?5. Who is responsible for the destruction of this data?
So why should IT be responsible for the storage, management, access and destruction of this data, when all they have done is provide technology tools to enable the automation of the above “traditional” business process?
19
Architecture
Router
Firewall
Mail Gateway
Firewall
Email and/or File Server
ArchivingProcess
RetrievalProcess
Archive Server
Web Server
Internet
RetrievalProcess
Storage
ERP
Data
Instant Message
IM
Other Apps
TransactionData
Financials
Data &Documents
DMS
Filenet/Documentum
Archiving solutions should solve the BUSINESS of digital data reArchiving solutions should solve the BUSINESS of digital data retention, tention, management, retrieval management, retrieval andand disposal using TECHNOLOGY as AN disposal using TECHNOLOGY as AN ENABLER ENABLER ……
So what does all of this mean? ARCHIVE !!
20
ARCHIVE for Operational AND Business Benefits
Policy Driven Archiving• Compress• Single Instance• Index• Future Proof• Shortcut/Stub• Categorise
Message Management
Lotus NotesMS ExchangeIM
250 File TypesWord DocsAdobe PDFPowerPointExcel
Text ReportsPCL 5AFPMeta CodeEBCDICText
Object TypesVoiceVideoIP Traffic
• Search • Disclose• Share• Retain/Delete• Case Management• Supervise
To benefit the business:
• Storage optimisation• Migration/consolidation of data• Operational efficiencies• Compliance• Knowledge exploitation
21
Common Myths/Misconceptions about ARCHIVING
Compliance is a costly exercise I need separate solutions to manage all of my corporate dataArchiving will enforce/enhance our risk management strategyThe main driver for compliance activities is the fear of the consequences of non-complianceThere are no strategic solutions available in the marketplace – just point solutionsCorporate governance encompasses regulatory compliance, legislative compliance and adhering to internal policiesThe only positive consequence of being compliant is staying out of jail
22
ARCHIVE solutions come in different forms …
Enterprise Content Management (ECM) is any of the strategies and technologies employed in the information technologyindustry for managing the capture, storage, security, revision control, retrieval, distribution, preservation and destruction of documents and content. ECM especially concerns content imported into or generated from within an organization in the course of its operation, and includes the control of access to this content from outside of the organization's processes.
Information Lifecycle Management refers to a wide-ranging set of strategies for administering storage systems on computing devices. Specifically, four categories of storage strategies may be considered under the auspices of ILM:− Policy− Management− Operational− Infrastructure Source: www.wikipedia.com
23
ARCHIVE solutions come in different forms …
Records Management is the practice of identifying, classifying, archiving, preserving, and sometimes destroying records. ISO 15489: 2001 defines records management as, "The field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records".
“Companies should look for solutions to support multiple regulations and multiple business units”
Source: Business Wire, 12 December 2005. “Through 2008, Investment in new technologies will slow as discretionary budgets are diverted to regulatory compliance projects”.
Source: www.wikipedia.com
24
Category: Finance HR Personal Unknown• Invoice• Purchase Order• Payable• etc
• Sick Leave• Annual Leave• Resume• etc
• Home• Lunch• Joke• etc
• 7 Years• Tape
• 12 Months• Disk
• 30 Days• Disk
• Indefinite• Disk
Scanned
Retention:
Destruction:
ARCHIVE with Retention and Disposition Rules
25
ARCHIVE with Portal Access to ALL Data
26
ARCHIVE with Portal Access to ALL Data
27
ARCHIVE with Portal Access to ALL Data
28
A few suggestions …
Ensure there are written policies for traditional and digital record retention, management and disposal.
Educate users on these policies
Educate users regarding the impact of internal policy and external regulatory requirements on their use of e-mail, IM and SMS tools for business purposes.
Implement the defined policies and associated procedures
Determine IT strategy based on the tools required to support the policies and processes defined, implemented and communicated.
29
Storage Management
Operational Efficiency
Compliance
Storage ManagementPrimary storage burdens easedSIS and CompressionData management and disposalIntegration of data from disparate systems
Operational EfficiencyReduced TCOSystem performance improvementsShortened backup timeframesDIY search and retrievalAchieve quick and measurable ROIGreater Knowledge Exploitation
CompliancePolicy adherenceStatutory adherenceRegulatory adherenceDiscoveryForensics
Corporate-wide benefits of ARCHIVING
30
Policies/Procedures
CorporateGovernance Components
InformationRepository
Risk Assessment
BPRIdentification and resolution
of non-compliant activities
Company ActivitiesEmailIMMemos/SpreadsheetsTransactional Data
Corporate Corporate ConfidenceConfidence
DIGITAL DATA ARCHIVING: “Nice to Have or Need to Have”?