Office Memo 13

Home > Office Jotter > Office Memos > Office Memo 13

Time for a snack at Office Jotter?

Office Memo 13

22 September 2004

Bracing for the compliance storm

Recent corporate scandals, especially in the USA, show that the need for compliance and good corporate governance has never been more pressing. Today's tumultuous economic and political climate puts a premium on these actions. Regulations such as the Data Protection Act, Sarbanes-Oxley and Basel II add to the pressure. Many other regulations, less publicized, contribute as well. They all govern the retention, use, reporting and final disposition of information. This information is growing at an exponential rate.

Not complying with these regulations not only lays organizations open to fines. They can endanger their business should they not be able to access critical information rapidly. If organizations do not manage how this information is kept and disposed of, they expose themselves to increased legal risks.

Business records management and records archiving have not kept pace with changes in technologies. This further complicates the picture. Records today are scattered among information 'silos' of paper, microfilm, microfiche, magnetic tape, optical disk and on-line storage. Much of this technology is becoming obsolete and the records irretrievable. Some records that have been created electronically - email and voice mail, for example - are usually not captured or managed at all.

Chief Information Officers (CIOs) and IT directors thus face a perfect IT storm. How do they weather the evolving regulatory environment, the exponential growth of critical business information and the need for rapid, 24/7 access to information?

Information and compliance

It is not just about archiving. The ability to get at information is also essential for compliance. The value of this information, however, varies with business needs and the internal or external rules with which an organisation is obligated to comply. Every organisation has different service levels, based on different users. These drive evolving needs for information access, retrieval and disposition.

The courts demand that organizations keep their business records according to laws and regulations on data authenticity and integrity. Many regulations require that data be kept safely, too, making information security an important element.

Not all information is a business record that must be retained. In this new regulatory environment, companies must protect the right data longer and recover it faster, but know when to delete it. CIOs therefore must introduce governance strategies that work across the entire enterprise. They must manage information in a coherent fashion, to increase performance and efficiency while toeing the line on compliance.

This demands a multifaceted approach, involving people, policies, processes and technology. Information compliance calls for assured integrity, confidentiality and accessibility. Beyond the initial investment of time, people and money, compliance gives the opportunity to introduce best practices and internal controls. It also is a good time to work on improving productivity and performance and to try to remove the risk of losing information. Compliance can then become a natural outgrowth of a well-managed information infrastructure.

Achieving compliance through information lifecycle management

Information lifecycle management (ILM) provides an approach for CIOs to share out IT resources effectively. It takes account of how accumulating information is classified, where it should be stored and how it will be recovered. An ILM strategy allows companies to store and move information as regulation, investigation and litigation needs demand. For example, if there is an audit at a financial services firm, the IT department must be able to get at the relevant data quickly and relatively easily. Also, data must be stored according to its changing value with time.

A further point is that application programs are increasingly interdependent, extracting data from neighbouring systems. As these interrelationships broaden, program by program compliance is no longer enough. Enterprise-level thinking becomes necessary.

ILM in practice

Organizations facing regulation, investigation or litigation issues must be able to pull authentic, vital data fast. Using a combination of hardware, software and services, ILM helps organizations establish best practices and achieve compliance through intelligent data classification. It also helps align the IT infrastructure with compliance needs.

To do this, organizations must know exactly what kind of information they have, what program produces it and where it must be stored. This makes it simple to keep the right data for the right period of time. This strategy treats data at a detailed level, enabling CIOs to provide precise information for regulatory purposes. Doing so is critical for companies that must deal with many regulations.

Classifying information enables IT executives to create a tiered storage infrastructure. This matches the regulatory value of the data with the relevant type and cost of storage. Often that means calling in outside experts. Tiered storage allows companies to store newer, critical and frequently accessed data in high-performance, 'top tier' storage, so it is rapidly accessible.

In time, as this data becomes less critical and is accessed less often, it is moved to lower-cost, mid-tier storage. This frees the more expensive resources to manage pertinent incoming information. For corporate governance and regulatory compliance, fixed content and content-addressed storage is preferred. It can be authentically archived and rapidly retrieved.

Another critical component of ILM is reducing management overhead and making the best use of assets. Organizations can allocate or reallocate storage according to the value of data. An ILM strategy should also have automated policies that ensure data is kept only as long as needed and is deleted afterwards. This calls for active information management. For example, email archiving software can annotate each record with details of the retention period. This email record will be archived for the retention period, and then disposed of, releasing more storage. Organizations should also make disaster recovery and business continuity plans.

Do You Comply?

Questions you should ask yourself when considering compliance arrangements:

Do you have a records retention policy? Does it apply to all the record types and media you use while doing business? These include email, financial records, voice and video.

How fast are you able to find and retrieve relevant documents when needed? Do you keep a track of your company's costs for legal discovery and litigation support?

Can you ensure the authenticity of your documents?

Are you able to assign and protect access to certain documents?

Can you show a detailed audit trail proving that your organisation has proper internal controls that are being followed?

What are your policies for destroying documents? How long does the policy require records to be retained, and who has authorization to destroy them?

Do you routinely backup multiple copies of unchanging content, or backup data or records that are not required for compliance?

Weathering the Storm

Compliance is a natural extension of best practices in business and information management. It provides the foundation needed to weather current and future IT storms. By automating and managing the information lifecycle, companies not only meet compliance needs but also achieve significant operational, business and financial benefits. Companies can cut the costs of data protection, management and retrieval. Employees can get at data faster, improving service to customers and colleagues. Most important, ILM helps reduce the risk of violating retention and privacy requirements.

***

John Gubernat of EMC contributed this article. Our thanks go to him.

EMC is exhibiting at Storage Expo, which takes place at National Hall, Olympia, London from 13 - 14 October 2004. Now in its fourth year, the show features over 90 exhibitors and a comprehensive free education programme.

About Office Memos

An Office Memo is an extended comment on what is happening in the world of the electronic business and elsewhere. Some memos will have appeared in Office Jotter; others are simply referred to in it.

You are free to disagree with, amplify or even agree with anything that appears in Office Jotter or an Office Memo. Of course, the rest of us will never know this unless you write in with your views, so please comment*.

Content from Office Jotter or Office Memo may be circulated freely, so long as you remember to credit its source.

Thanks,

Roger Whitehead

Publisher and editor

*No more than 1,000 words at a time, please. I edit material for publication but as lightly as possible.

Copyright Roger Whitehead, 2004. I hereby assert and give notice of my right under section 77 of the Copyright, Designs and Patents Act 1998 to be identified as the author of these publications.