340 likes | 429 Views
Paradox of Data Storage. The Data You Store Can Be Used Against You In A Court of Law. By: Tim Kormos Product Manager LXI Corp. The Life Blood of Business. IT provides the infrastructure that enables business Hardware Network Software Procedures Controls. IT’s Job to Protect Data.
E N D
Paradox of Data Storage The Data You Store Can Be Used Against You In A Court of Law By: Tim Kormos Product Manager LXI Corp.
The Life Blood of Business • IT provides the infrastructure that enables business • Hardware • Network • Software • Procedures • Controls
IT’s Job to Protect Data • Latest and Greatest Technologies • SAN, NAS • High Availability • Software and Hardware • Disaster Recovery Plans • Business Continuity Plans
IT’s Responsibility • IT manages the infrastructure that supports business • Businesses depend on the accuracy and availability of their data • Data is one of a companies most important assets and should have appropriate policies and controls relative to it’s value
Backup Strategy • Backups provide a point-in-time recovery of critical data • Backups are used to recovery data that has become lost or damaged • Backups make up the largest percentage of planned outages • Backups determine the success or failure of disaster recovery plans
Record Retention Strategy • The practice of storing documents so that they can be quickly recovered while maintaining accuracy and integrity of the original document • Applies to electronic documents • Email, word docs, spread sheets, instant messages with customers,… • Should be kept for required time, then destroyed
Record Retention Gone Bad • Fortune 500 company sued for wrongful termination • No record retention policy regarding email • Court ordered company to search all 20,000 backup tapes, estimated cost per tape $1,000
The Paradox • Backups • The more backups available, the more confidence that recovery is assured • More is better • Record retention (Archiving) • Store data for only as long as it absolutely has to be kept, then destroy it • Less is better
Conflicting Goals • Backup policies • Ensure all data is recovered in the event of an outage, regardless of the type of data • Limited number people have access to data • Record Retention policies • Ensure that data is kept available for restoration for only as long as required by regulation • Numerous people have access to data
Arguments that Don’t Work • Crown Life Insurance Company • Backups don’t count • Wyeth Corp. • Cost to recover would be greater than the settlement • Prudential Insurance • Ordered to pay $1 million penalty for “haphazard” data retention policy • Sprint Communications • Inappropriate use of data retention policy to avoid pending legal actions
Litigation • Reasons for increased use of storage data in litigation • Attorneys are more aware of it’s value • Courts recognize it’s importance • The sheer volume – all potential evidence
Regulatory Intervention • Other ways your data storage is effected
New Corporate Governance • Federal Regulations • Sarbanes-Oxley Act of 2002 • HIPAA – Health Insurance Portability and Accountability Act of 1996 • Gramm-Leach-Bliley Act • IRS Revenue Rulings and Procedures
Sarbanes-Oxley Act of 2002 • Changes securities regulations, corporate governance, and auditor regulations • Response to Enron, WorldCom, … • Introduces accountability for fraudulent accounting practices
HIPAA Health Insurance Portability and Accountability Act of 1996 • Limits the use and disclosure of individually identifiable health care information • Requires health care entities to establish administrative, physical and technical safeguards
Gramm-Leach-Bliley Act • Requires financial institutions to take steps to ensure security and confidentiality of customer’s non-public, personal information • Privacy notice must be “clear and conspicuous” • Must provide opt-out process
IRS Rev. Proc. 98-25 • Computer records must be • retained in retrievable format, • made available to the IRS when requested, along with documentation and audit trails that provide evidence of authenticity and integrity. • convert old formats to current, accessible by IRS representatives, sequential file version relational database systems and detailed transactions involved in EDI commerce.
IRS Rev. Proc. 91-59 • Records must be • maintained and be available regardless of the existence of the original software or hardware, and no exceptions are made for deteriorated media.
Federal Rules of Civil Procedures V. Dispositions and Discovery • Rule 26: Quick identification and reproduction of requested information • Rule 34: Sets the rules for requesting data under Rule 26 • Firmly establishes how electronic evidence is to be handled in lawsuits
Sobering Consequence • Sarbanes-Oxley Act • Holds CEO and CFO personally liable for the accuracy of SEC filings, punishable by fines up to $1 Million and 10 years imprisonment • IRS • Individuals willfully failing to supply information may be fined up to $25,000 • Companies can be fined in excess of $100,000 for failure to comply • Courts hand down million dollar penalties for “haphazard” data retention policies
The Challenge • How can administrators ensure that both backup and record retention polices, procedures and controls are: • implemented • make sense • work
Key Ingredients • Information Security • Information Administration • Media Management • Data Integrity
Information Security • Establish procedures and controls that protect • Confidentiality – who can see the data • Integrity – how data is changed • Availability – how data is accessed
Information Management • Ensure all stored electronic records are • True – created from valid processes • Complete – all data is captured • Authentic – unchanged • Accessible – easily retrieved
Media Management • Implement protections that reasonably protect against • Loss – disaster, overwritten tapes • Alteration – deleting or change any part of a record or document • Destruction – intentional or accidental
Data Integrity • Setup processes, procedures and technologies that will ensure • Easy identification (Indexing) • Quick location • Simplified recall • Accurate restore • For individual files and entire systems
Addressing the Paradox • Identify a Compliance officer • Conduct internal assessment • Perform Gap analysis • Establish corporate policies relative to internal and external requirements • Build processes with controls • Implement technologies that enable the policies • Educate everyone
Word about Controls • Employees execute controls • Management design controls • Auditors examine controls • Regulators legislate controls
Controls • Logical point in a process or work flow that documents the success or failure of the preceding steps • Examples • Invoice • Shipping manifest • Order pick list • Change request
Reports completed and failed backups • Compares list to actual results Packing List • Signed document at pick up Control Point Tapes putinto container Control Point Container picked up Control Point Control Example Backupoccurs
Record Retention vs. Backup • Data stored for regulatory compliance should be stored separately from general backups • Backups should not be used for regulatory compliance • Reduce the time backups are kept
Benefits of Compliance • Justification for new technologies • Centralization • Simplification • Standardization • Vision of technology that • Improves the bottom line • Reduces risk • Eliminates waste
Resources • Industry trade organizations • Storage Network Industry Association www.snia.org • www.soxtoolkit.com • www.cio.com/newrules • www.hipaadvisory.com • www.irch.com • www.findlaw.com
Questions Contact information Tkormos@lxicorp.com 214.260.9005