Transcript Paradox of Data Storage
Paradox of Data Storage
The Data You Store Can Be Used Against You In A Court of Law By: Tim Kormos Product Manager LXI Corp.
The Life Blood of Business
IT provides the infrastructure that enables business Hardware Network Software Procedures Controls © Copyright 2004 LXI Corp.
IT’s Job to Protect Data
Latest and Greatest Technologies SAN, NAS High Availability Software and Hardware Disaster Recovery Plans Business Continuity Plans © Copyright 2004 LXI Corp.
IT’s Responsibility
IT manages the infrastructure that supports business Businesses depend on the accuracy and availability of their data Data is one of a companies most important assets and should have appropriate policies and controls relative to it’s value © Copyright 2004 LXI Corp.
Backup Strategy
Backups provide a point-in-time recovery of critical data Backups are used to recovery data that has become lost or damaged Backups make up the largest percentage of planned outages Backups determine the success or failure of disaster recovery plans © Copyright 2004 LXI Corp.
Record Retention Strategy
The practice of storing documents so that they can be quickly recovered while maintaining accuracy and integrity of the original document Applies to electronic documents Email, word docs, spread sheets, instant messages with customers,… Should be kept for required time, then destroyed © Copyright 2004 LXI Corp.
Record Retention Gone Bad
Fortune 500 company sued for wrongful termination No record retention policy regarding email Court ordered company to search all 20,000 backup tapes, estimated cost per tape $1,000 © Copyright 2004 LXI Corp.
The Paradox
Backups The more backups available, the more confidence that recovery is assured More is better Record retention (Archiving) Store data for only as long as it absolutely has to be kept, then destroy it Less is better © Copyright 2004 LXI Corp.
Conflicting Goals
Backup policies Ensure all data is recovered in the event of an outage, regardless of the type of data Limited number people have access to data Record Retention policies Ensure that data is kept available for restoration for only as long as required by regulation Numerous people have access to data © Copyright 2004 LXI Corp.
Arguments that Don’t Work
Crown Life Insurance Company Backups don’t count Wyeth Corp.
Cost to recover would be greater than the settlement Prudential Insurance Ordered to pay $1 million penalty for “haphazard” data retention policy Sprint Communications Inappropriate use of data retention policy to avoid pending legal actions © Copyright 2004 LXI Corp.
Litigation
Reasons for increased use of storage data in litigation Attorneys are more aware of it’s value Courts recognize it’s importance The sheer volume – all potential evidence © Copyright 2004 LXI Corp.
Regulatory Intervention
Other ways your data storage is effected © Copyright 2004 LXI Corp.
New Corporate Governance
Federal Regulations Sarbanes-Oxley Act of 2002 HIPAA – Health Insurance Portability and Accountability Act of 1996 Gramm-Leach-Bliley Act IRS Revenue Rulings and Procedures © Copyright 2004 LXI Corp.
Sarbanes-Oxley Act of 2002
Changes securities regulations, corporate governance, and auditor regulations Response to Enron, WorldCom, … Introduces accountability for fraudulent accounting practices © Copyright 2004 LXI Corp.
HIPAA
Health Insurance Portability and Accountability Act of 1996
Limits the use and disclosure of individually identifiable health care information Requires health care entities to establish administrative, physical and technical safeguards © Copyright 2004 LXI Corp.
Gramm-Leach-Bliley Act
Requires financial institutions to take steps to ensure security and confidentiality of customer’s non-public, personal information Privacy notice must be “clear and conspicuous” Must provide opt-out process © Copyright 2004 LXI Corp.
IRS Rev. Proc. 98-25
Computer records must be retained in retrievable format, made available to the IRS when requested, along with documentation and audit trails that provide evidence of authenticity and integrity. convert old formats to current, accessible by IRS representatives, sequential file version relational database systems and detailed transactions involved in EDI commerce.
© Copyright 2004 LXI Corp.
IRS Rev. Proc. 91-59
Records must be maintained and be available regardless of the existence of the original software or hardware, and no exceptions are made for deteriorated media.
© Copyright 2004 LXI Corp.
Federal Rules of Civil Procedures
V. Dispositions and Discovery Rule 26: Quick identification and reproduction of requested information Rule 34: Sets the rules for requesting data under Rule 26 Firmly establishes how electronic evidence is to be handled in lawsuits © Copyright 2004 LXI Corp.
Sobering Consequence
Sarbanes-Oxley Act Holds CEO and CFO personally liable for the accuracy of SEC filings, punishable by fines up to $1 Million and 10 years imprisonment IRS Individuals willfully failing to supply information may be fined up to $25,000 Companies can be fined in excess of $100,000 for failure to comply Courts hand down million dollar penalties for “haphazard” data retention policies © Copyright 2004 LXI Corp.
The Challenge
How can administrators ensure that both backup and record retention polices, procedures and controls are: implemented make sense work © Copyright 2004 LXI Corp.
Key Ingredients
Information Security Information Administration Media Management Data Integrity © Copyright 2004 LXI Corp.
Information Security
Establish procedures and controls that protect Confidentiality – who can see the data Integrity – how data is changed Availability – how data is accessed © Copyright 2004 LXI Corp.
Information Management
Ensure all stored electronic records are True – created from valid processes Complete – all data is captured Authentic – unchanged Accessible – easily retrieved © Copyright 2004 LXI Corp.
Media Management
Implement protections that reasonably protect against Loss – disaster, overwritten tapes Alteration – deleting or change any part of a record or document Destruction – intentional or accidental © Copyright 2004 LXI Corp.
Data Integrity
Setup processes, procedures and technologies that will ensure Easy identification (Indexing) Quick location Simplified recall Accurate restore For individual files and entire systems © Copyright 2004 LXI Corp.
Addressing the Paradox
Identify a Compliance officer Conduct internal assessment Perform Gap analysis Establish corporate policies relative to internal and external requirements Build processes with controls Implement technologies that enable the policies Educate everyone © Copyright 2004 LXI Corp.
Word about Controls
Employees execute controls Management design controls Auditors examine controls Regulators legislate controls © Copyright 2004 LXI Corp.
Controls
Logical point in a process or work flow that documents the success or failure of the preceding steps Examples Invoice Shipping manifest Order pick list Change request © Copyright 2004 LXI Corp.
Control Example
•
Reports completed and failed backups
Backup occurs •
Compares list to actual results
Packing List •
Signed document at pick up
Control Point Tapes put into container Control Point Container picked up Control Point © Copyright 2004 LXI Corp.
Record Retention vs. Backup
Data stored for regulatory compliance should be stored separately from general backups Backups should not be used for regulatory compliance Reduce the time backups are kept © Copyright 2004 LXI Corp.
Benefits of Compliance
Justification for new technologies Centralization Simplification Standardization Vision of technology that Improves the bottom line Reduces risk Eliminates waste © Copyright 2004 LXI Corp.
Resources
Industry trade organizations Storage Network Industry Association www.snia.org
www.soxtoolkit.com
www.cio.com/newrules www.hipaadvisory.com
www.irch.com
www.findlaw.com
© Copyright 2004 LXI Corp.
Questions
Contact information [email protected]
214.260.9005
© Copyright 2004 LXI Corp.