Bracing for the compliance storm
the imperative of complying with regulations, companies should face the task
head-on and use relevant strategies to smoothen the process. by Manoj Chugh
Given recent corporate scandals and today's tumultuous economic and political
climate, compliance and corporate governance have never been more imperative.
While regulations such as Sarbanes-Oxley, the USA Patriot Act, the Gramm-Leach-Bliley
Act, and HIPAA receive most of the attention, there are thousands of [American]
federal, state, local and [other] country-specific regulations that govern the
retention, use, reporting and ultimate disposition of information.
By not complying with these regulations, companies could not only incur fines
but could endanger their business. By not actively managing the retention and
disposition of this information, companies are exposed to increased legal risks.
An IT storm
Further complicating the picture, business records management and records archiving
has not kept pace with the change in technologies. Records today are scattered
among information silos of media like paper, microfilm, optical disk and online
storage. Some records that have been created electronically-e-mail and voice
mail, for example are not captured or managed at all.
Consequently, CIOs face a perfect IT storm. This raises the question: how do
you weather the evolving regulatory environment, the exponential growth of critical
information, and the need for rapid, 24/7 access to data?
Information and compliance
It's not just archiving, but the ability to access information that is essential
for achieving compliance. The value of this information, however, varies based
on unique business needs, internal or external rules, and regulations to which
an organisation is obligated to comply with. Every organisation has different
service levels for different users, which drives evolving information access,
retrieval and disposition requirements.
In essence, companies need to protect the right data longer, retrieve it faster,
and know when to delete it. As a result, CIOs have been tasked with implementing
governance strategies that work across the entire enterprise and manage information
holistically to increase performance and efficiency while holding the line on
Compliance initiatives require a multi-faceted approach involving people, policies,
processes and technologies. When analysing most rules, regulations, policies
and procedures, the required capabilities for information compliance can be
summarised into three categories: assured integrity, confidentiality, and accessibility.
Beyond the initial investment of time, personnel and financial resources, compliance
is an opportunity for organisations to instill best practices and internal controls,
enhance productivity and performance, improve operational efficiencies, and
eliminate the risk of losing information.
Achieving compliance through ILM
Information lifecycle management (ILM) provides a strategy for CIOs to apportion
IT resources based on how the accumulating information is classified, where
it should be stored, and how it will be recovered. There are a number of issues
that make an ILM approach attractive for regulatory compliance:
- Courts of law demand that business records maintained
according to regulatory mandates ensure data authenticity and integrity, and
are irreproachable. Many regulations, such as HIPAA, require that data be
kept safely too, making information security an important part of the equation.
- Applications are increasingly interdependent, pulling
data sets from neighbouring systems. As these interrelationships broaden,
compliance at the application level becomes insufficient, making an enterprise-wide
ILM process necessary.
- Not all information is a business record that must
be retained. In this new regulatory environment, companies must protect the
right data longer and recover it faster, but know when to delete it.
An ILM strategy allows companies to store and move information as regulation,
investigation and litigation needs demand. For example, if there is an audit
at a financial services firm, the IT department must be able to access that
information quickly and easily. So whether it is financial data, client records
or old e-mails, this information must be stored according to its changing value
ILM in practice
Using a combination of technologies, including hardware, software and services,
ILM helps organisations establish best practices. It also helps achieve compliance
through intelligent data classification and IT infrastructures alignment
To accomplish this, organisations must know the exact kind of information, application
generating it, and where it must be stored. This strategy treats data at a very
granular level, enabling CIOs to provide precise information for regulatory
Classifying information enables IT executives to create a tiered storage infrastructure
that matches the regulatory value of data with the corresponding price or performance
layer of storage.
As the foundation of an ILM strategy, tiered storage allows companies to store
newer, critical and frequently-accessed information in top-tier, high-performance
storage so that it is rapidly accessible. Over time, as this information becomes
less critical and is accessed less frequently, it is moved to lower-cost, mid-tier
This frees up more expensive, high-end resources to manage the incoming, pertinent
information. For corporate governance and regulatory compliance, the fixed content
and content-addressed storage tier is preferred because it can be authentically
archived and rapidly retrieved.
Another critical component of ILM is reducing management overhead and optimising
asset utilisation by assessing storage utilisation, performance and retention
requirements. In essence, storage can be allocated or re-allocated based on
the value of information to maximise availability, storage resources and application
To further optimise this, an ILM strategy should also have automated policies
that ensure information is kept only as long as required and is deleted afterwards.
This requires active information management as an ILM component.
For example, an e-mail archiving application will affix a piece of metadata
containing a required retention period to each e-mail record. This e-mail record
will be archived for the retention period, and then disposed of, further freeing
up storage resources. In addition, to protect business-critical information
in the event of a planned or unplanned outage, organisations can deploy an extensive
disaster recovery and business continuity plan.
Do you comply?
you should ask yourself when considering compliance solutions:
- Do you have a records retention policy in place?
Does your policy apply to all record types and media, including e-mail, financial
records, voice, video and other technologies you use in the course of doing
- How fast are you able to find and retrieve documents
as part of the discovery process or in response to regulatory agency requests?
Do you track your company's costs for legal discovery and litigation support?
- Can you ensure the authenticity of your documents?
- Are you able to assign and protect access to certain
- Can you show a detailed audit trail to establish
that your organisation has proper internal controls that are being followed?
- What are your policies for destruction of documents?
How long does the policy require records to be retained, and who has authorisation
to destroy them?
- Do you routinely back up multiple copies of unchanging
content, or back up data or records that are not required for compliance?
Weathering the storm
Because compliance is a natural extension of business and information management
best practices, it provides the foundation and infrastructure to weather today's
and, inevitably, future IT storms, stringent compliance regulations, staggering
information growth, and 24/7 accessibility.
By automating and managing the information lifecycle, companies not only meet
compliance requirements, but also achieve operational, business and financial
benefits. ILM enables them to reduce information protection costs, management
and retrieval by eliminating stove-piped compliance/archiving operations, consolidating
redundant equipment, and optimising staff deployment.
In addition, employees can access information faster, so they can deliver the
highest service levels to end-users and customers. Most importantly, ILM provides
the infrastructure and policies required to institute reliable reporting, internal
controls and management accountability to reduce the risk of violating retention
and privacy requirements.
Manoj Chugh is President, India & SAARC, EMC