1 / 25

Building an Affordable Practice for Regulation Compliance

Learn how to effectively manage data storage and comply with regulations while maximizing existing technology. This guide covers the changing role of IT, the costs of compliance, risk management, and practical strategies for passing scrutiny.

aann
Download Presentation

Building an Affordable Practice for Regulation Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. STORAGE MANAGEMENT/MASTER:Building an Affordable Practice for Regulation Compliance Getting the most out of existing technology Marc Farley President Building Storage, Inc.

  2. From data center managers To data stewards The changing role of IT:

  3. The IT function will resemble a data librarySearching, archiving and retrieving data

  4. Regulations are forcing the issue • Mandated data management • Privacy, security • Long-term availability

  5. Regulation compliance adds new costs • Planning costs • Legal interpretation, capabilities assessment, solution designs, product evaluations • Technology costs • Hardware and software, maintenance • Operating costs • Day-to-day tasks, reports, audits, coordination • Hidden costs • Obsolescence, failure, proprietary traps

  6. Risk management • What is non-compliance? • Missing data • Slow retrieval • Corporate risks • Fines • Reputation • Personal risks • Jail time (obstruction of justice) • Exposure of incompetence

  7. How to pass scrutiny • Act responsibly • Act reasonably • Act consistently • Keep records

  8. Responsible management (Why didn’t you do this?) • Have a plan with good intentions • Integrate the plan into all deployments • Management commitment and accountability • Managing down to IT line workers to understand problems/opportunities

  9. Reasonable management (2)(Why did you do it this way?) • Average to above-average efforts and staffing • Incremental change, not revolutionary change • Prioritizing areas needing improvement • Cost analysis and rationale

  10. Consistent management (Why did you do it differently this time?) • Adherence to guiding principles • Maintaining and complying with operations schedules • Making measurements (adding metrics where needed) • Minimizing deviations

  11. Document your decisions & work • Meeting notes and decision rationale • Management approval and sign-offs • Strategic initiatives and priorities • Operating plans and schedules • Operations records and logs • Known problems and severity

  12. Getting started is a matter of willpower and words… • A mission statement for IT that includes responsible and thorough data management • Sponsorship from senior corporate management • Adjust job descriptions to include compliance and data management.

  13. …Continuing is systematic work • Disciplined operations • Systematic documentation • Management oversight

  14. Set reasonable expectations • Regulations are new and legal interpretations are likely to change • Set numerous, smaller, incremental, achievable goals

  15. Focus area #1:Re-examining backup • Backup capabilities/conditions • Archiving role of backup • Alternative backups for archiving

  16. Analyze backup capabilities • Analyze available backup logs • Review software releases/updates • Hardware age, errors and wear and tear • Backup metadata growth and pruning • Tape naming conventions

  17. Archiving with your backup system • Review and adjust existing archiving operations as necessary • Monthly, quarterly, yearly? • How are archives identified? • Separate backup jobs or tape copies? • How are restores done? • How would regulatory restores differ?

  18. Analyze archiving operations • Age and wear of tapes used for archiving • How are tapes selected for archiving? • Verify and document test restores from archives • Verify availability of backup metadata for restores. • Review data retention policies • How long are tapes kept? • Is there an expiration policy?

  19. Consider separate backup installations for archiving • If you would consider a separate disk archiving system….. • Why wouldn’t you consider a second backup installation that archives data?

  20. Consider separate backup installations for archiving (2) • Most data exists in the system for 1 month • Most e-mail exists in the system for 1 quarter • Separate software installations may be a good idea • Different metadata is probably a very good idea • Different naming conventions are a good idea • Yearly (new) re-installs may be a good idea • Additional backups can also be used for DR practice and real DR scenarios

  21. Caveats with separate backup installations • May require different backup products • Platform restrictions • Application assumptions • Possible confusion during operations and with tapes media management • “Foreign” media could be overwritten by mistake • Confusion during disaster recovery is not good

  22. Focus area #2:Point-in-time snapshots on disk • PIT snapshot capabilities and coverage • Archiving role of snapshots

  23. Purpose of point-in-time snapshots • Disaster recovery • Data versioning • Software/system testing • Backup processing • Archiving (WORM)

  24. Snapshots for archiving • One time write (or copy) • Full snap, not partial • Secondary storage • ATA or SATA disk drives • Can be powered off • Keeps data from being overwritten • Quarterly operations

  25. Final thoughts on meeting regulatory requirements • 4 extra copy cycles per year • Look for things that fall through the cracks • Integrate with other migration/expiration cycles and policies • Redundant copies of all archives are required • Tape copies should suffice • Backup coverage not • Media/devices should be exercised yearly

More Related