Compliance

Bracing for the compliance storm

Given the imperative of complying with regulations, companies should face the task head-on and use relevant strategies to smoothen the process. by Manoj Chugh

Given recent corporate scandals and today's tumultuous economic and political climate, compliance and corporate governance have never been more imperative. While regulations such as Sarbanes-Oxley, the USA Patriot Act, the Gramm-Leach-Bliley Act, and HIPAA receive most of the attention, there are thousands of [American] federal, state, local and [other] country-specific regulations that govern the retention, use, reporting and ultimate disposition of information.

By not complying with these regulations, companies could not only incur fines but could endanger their business. By not actively managing the retention and disposition of this information, companies are exposed to increased legal risks.

An IT storm

Further complicating the picture, business records management and records archiving has not kept pace with the change in technologies. Records today are scattered among information silos of media like paper, microfilm, optical disk and online storage. Some records that have been created electronically-e-mail and voice mail, for example are not captured or managed at all.

Consequently, CIOs face a perfect IT storm. This raises the question: how do you weather the evolving regulatory environment, the exponential growth of critical information, and the need for rapid, 24/7 access to data?

Information and compliance

It's not just archiving, but the ability to access information that is essential for achieving compliance. The value of this information, however, varies based on unique business needs, internal or external rules, and regulations to which an organisation is obligated to comply with. Every organisation has different service levels for different users, which drives evolving information access, retrieval and disposition requirements.

In essence, companies need to protect the right data longer, retrieve it faster, and know when to delete it. As a result, CIOs have been tasked with implementing governance strategies that work across the entire enterprise and manage information holistically to increase performance and efficiency while holding the line on compliance costs.

Compliance initiatives require a multi-faceted approach involving people, policies, processes and technologies. When analysing most rules, regulations, policies and procedures, the required capabilities for information compliance can be summarised into three categories: assured integrity, confidentiality, and accessibility.

Beyond the initial investment of time, personnel and financial resources, compliance is an opportunity for organisations to instill best practices and internal controls, enhance productivity and performance, improve operational efficiencies, and eliminate the risk of losing information.

Achieving compliance through ILM

Information lifecycle management (ILM) provides a strategy for CIOs to apportion IT resources based on how the accumulating information is classified, where it should be stored, and how it will be recovered. There are a number of issues that make an ILM approach attractive for regulatory compliance:

• Courts of law demand that business records maintained according to regulatory mandates ensure data authenticity and integrity, and are irreproachable. Many regulations, such as HIPAA, require that data be kept safely too, making information security an important part of the equation.
• Applications are increasingly interdependent, pulling data sets from neighbouring systems. As these interrelationships broaden, compliance at the application level becomes insufficient, making an enterprise-wide ILM process necessary.
• Not all information is a business record that must be retained. In this new regulatory environment, companies must protect the right data longer and recover it faster, but know when to delete it.

An ILM strategy allows companies to store and move information as regulation, investigation and litigation needs demand. For example, if there is an audit at a financial services firm, the IT department must be able to access that information quickly and easily. So whether it is financial data, client records or old e-mails, this information must be stored according to its changing value over time.

ILM in practice

Using a combination of technologies, including hardware, software and services, ILM helps organisations establish best practices. It also helps achieve compliance through intelligent data classification and IT infrastructure’s alignment with compliance.

To accomplish this, organisations must know the exact kind of information, application generating it, and where it must be stored. This strategy treats data at a very granular level, enabling CIOs to provide precise information for regulatory purposes.

Classifying information enables IT executives to create a tiered storage infrastructure that matches the regulatory value of data with the corresponding price or performance layer of storage.

As the foundation of an ILM strategy, tiered storage allows companies to store newer, critical and frequently-accessed information in top-tier, high-performance storage so that it is rapidly accessible. Over time, as this information becomes less critical and is accessed less frequently, it is moved to lower-cost, mid-tier storage.

This frees up more expensive, high-end resources to manage the incoming, pertinent information. For corporate governance and regulatory compliance, the fixed content and content-addressed storage tier is preferred because it can be authentically archived and rapidly retrieved.

Another critical component of ILM is reducing management overhead and optimising asset utilisation by assessing storage utilisation, performance and retention requirements. In essence, storage can be allocated or re-allocated based on the value of information to maximise availability, storage resources and application performance.

To further optimise this, an ILM strategy should also have automated policies that ensure information is kept only as long as required and is deleted afterwards. This requires active information management as an ILM component.

For example, an e-mail archiving application will affix a piece of metadata containing a required retention period to each e-mail record. This e-mail record will be archived for the retention period, and then disposed of, further freeing up storage resources. In addition, to protect business-critical information in the event of a planned or unplanned outage, organisations can deploy an extensive disaster recovery and business continuity plan.

Do you comply?

Questions you should ask yourself when considering compliance solutions:

• Do you have a records retention policy in place? Does your policy apply to all record types and media, including e-mail, financial records, voice, video and other technologies you use in the course of doing business?
• How fast are you able to find and retrieve documents as part of the discovery process or in response to regulatory agency requests? Do you track your company's costs for legal discovery and litigation support?
  
• Can you ensure the authenticity of your documents?
• Are you able to assign and protect access to certain documents?
• Can you show a detailed audit trail to establish that your organisation has proper internal controls that are being followed?
• What are your policies for destruction of documents? How long does the policy require records to be retained, and who has authorisation to destroy them?
• Do you routinely back up multiple copies of unchanging content, or back up data or records that are not required for compliance?

Weathering the storm

Because compliance is a natural extension of business and information management best practices, it provides the foundation and infrastructure to weather today's and, inevitably, future IT storms, stringent compliance regulations, staggering information growth, and 24/7 accessibility.

By automating and managing the information lifecycle, companies not only meet compliance requirements, but also achieve operational, business and financial benefits. ILM enables them to reduce information protection costs, management and retrieval by eliminating stove-piped compliance/archiving operations, consolidating redundant equipment, and optimising staff deployment.

In addition, employees can access information faster, so they can deliver the highest service levels to end-users and customers. Most importantly, ILM provides the infrastructure and policies required to institute reliable reporting, internal controls and management accountability to reduce the risk of violating retention and privacy requirements.

Manoj Chugh is President, India & SAARC, EMC