 |
|
Compliance |
Sarbanes-Oxley
(SOX) Overview
Following the public outrage surrounding
numerous corporate scandals, a corporate
accountability bill sponsored by Senator
Paul Sarbanes and Representative Michael
Oxley was passed by the United States
Congress in 2002. Unlike some of the
other compliance legislation that
has been passed by Congress in recent
years, the Sarbanes-Oxley Act of 2002
contains broad obligations applying
to all public companies. However,
the means of implementing systems
that meet the act's requirements are
not specifically addressed but left
for interpretation by regulated enterprises.
Upon first glance, it would be understandable
to conclude that the legislation has
only minimal implications for data
storage. This is not the case. The
areas of most concern to IT managers
center on the handling of specific
types of records or documents, specifically
the regulations outlined in Title
VIII, Section 802.
ESI
Criteria for Selecting a Storage Solution
Determining
the appropriate solution to help comply
with Sarbanes-Oxley or other ( SEC
17a-4, country-specific requirements,
Law 198) can be a daunting task. Many
organizations are taking a step back
and rethinking how regulated data
should be stored and managed in the
compliance era. Any regulatory compliance
storage solution must address the
data permanence, security/privacy,
and auditability requirements of your
business. However, there are additional
criteria to consider. Choosing a regulatory
compliance storage platform is a strategic
decision. Your regulatory compliance
data will have to be maintained for
years to come, and the underlying
storage needs will have to fit into
your storage management strategy.
ESI's specialized architects can help
your organization make the right decision.
The following provides key factors
to consider when evaluating a storage
solution to comply with SOX requirements:
• |
Reliability |
|
Given
the penalties for being unable
to produce the requested regulatory
data, it is essential that any
storage subsystem be online and
able to serve data whenever requested.
Keep in mind that all data under
SOX must remain available for
seven years from the conclusion
of an audit or review. Storage
solutions that are considered
highly unreliable (99.9+%) are
those that rely exclusively on
tape backup and low-end, non-RAID
hardware (e.g., very inexpensive
disk storage such as desktop disk
drives) and pose the greatest
IT and regulatory risk. |
|
• |
Performance |
|
High
performance can be essential when
there is a requirement for atomic
storage of individual records
(instead of large collections
of records). The number of records
for many of today's compliant
applications can easily increase
to the hundreds of millions. Searching
and retrieving the appropriate
records in the short time frames
mandated by court orders necessitate
a high performance storage system. |
|
• |
Open
standards |
|
If
the storage utilized does not
operate with existing known standards
such as CIFS or NFS, applications
will need to be customized to
work with proprietary APIs. This
poses limitations on which vendors
your business can work with today
and in the future. |
|
• |
Investment
protection |
|
With
shrinking budgets and limited
resources, optimal storage utilization
is critical to ensure that businesses
are able to leverage from existing
storage devices to satisfy multiple
needs (backup, compliance, primary
storage) in the most efficient
manner |
|
• |
Security |
|
The
storage system should protect
from unauthorized internal and
external access through robust
security features and access controls.
Additionally, protection should
be provided to disallow unauthorized
access or deletion of data. |
|
• |
Scalability |
|
As
the amount of data under regulatory
purview continues to increase
at a rapid pace, the storage systems
implemented today should scale
seamlessly to meet future capacity
requirements without increasing
operational complexity or undermining
reliability and performance. In
addition, as regulatory information
can be generated and stored in
both major corporate offices or
small branch or remote offices,
the chosen storage system should
have the flexibility to be deployed
at any desired storage capacity,
small or large. |
|
• |
Migration |
|
One
can safely assume that the data
will have to be migrated at least
once from whatever type of storage
it initially resides on no matter
where the data is at in the lifecycle.
This migration needs to be considered
before the initial storage solution,
not after. Of particular importance
here is the need to be sure that
whatever solution is chosen does
not involve any sort of vendor
or technology “lock-in.”
The solution must enable safe,
secure migration of information
from one system to another. A
strategy for migration away from
the chosen solution should be
part of the evaluation plan. Failure
to consider migration strategies
simply poses problems later on. |
|
|
