Assessing Your Storage and Backup for Regulatory Compliance:
By Ken Barth
The complicated nature of data management makes backups a crucial issue for I.T. In general, users are concerned about protection from data loss and the risk of being non-compliant. Current backup methods leave crucial data at risk, many organizations fear.
Compliance is one of the most talked-about issues in data management in recent years. As deadlines for federally mandated programs loom near, the issue is becoming more and more important.
Yet, despite all of the discussion and buzz, few organizations have actually implemented a compliance plan as part of their business operations. Perhaps the greatest stumbling block to devising and rolling out compliance plans is a widespread and high degree of confusion as to what the various regulations and legislation require, and the actions and activities that organizations must take in order to be in compliance with those regulations.
The challenges facing I.T. managers seem never-ending in the consistently and rapidly changing world of technology. The issue of regulatory compliance adds another murky, albeit important area of concern. The term 'compliance' is an umbrella term that has come to cover the recent spate of federal and state regulatory legislation dictating how organizations must retain and preserve their vast stores of data.
The impact of such legislation is bound to be widespread, affecting most of corporate America. Furthermore, the confusion over compliance initiatives, their cost, and their potential impact stems from the lack of clearly defined guidelines. In fact, the very term itself continues to grow and expand in what it encompasses.
As it stands, regulatory compliance legislation directly affects private and public companies, particularly those in regulated industries such as government, finance, and health care. In addition, many organizations have come to realize the importance of data as an asset for business operations and continuity. The result is I.T. departments facing new and developing compliance requirements for security and data retention set by their own organizations.
Central to the whole issue of regulatory compliance are three questions:
What data types are subject to archiving?
How long does that data need to be stored and accessible?
What do organizations need to do in order to be compliant?
While there are numerous pieces of legislation that deal with data retention, including the Health Insurance Portability and Accountability Act (HIPAA) of 1996, The Gramm-Leach-Bliley Act (GLB) also known as the Financial Modernization Act of 1999, and the Uniform Electronic Transactions Act (UETA) of 1999, probably the most talked-about and anxiety-producing is the Sarbanes-Oxley Act of 2002.
Sarbanes-Oxley was signed into law by the current President Bush following such high-profile corporate scandals as Enron, Tyco and WorldCom as an attempt to correct problems in the way organizations had been reporting their financial information. Sarbanes-Oxley states what records an organization must archive and for how long those records must be stored (all business records must be saved, including electronic messages, for at least five years and possibly longer).
It does not offer a set of business practices or guidelines on how organizations are to store records, leaving I.T. managers to create archiving programs and procedures that both fulfill the requirements of Sarbanes-Oxley and fit within their budgets. Failure to meet the mandated Fall 2004 deadline for compliance carries severe penalties."