STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc.

Slides:

Advertisements

Similar presentations

© 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP TRIM HP Information Management.

Advertisements

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

Records Management for UW-Madison Employees – An Introduction UW-Madison Records Management UW-Archives & Records Management 2012 Photo courtesy of University.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

HIPAA Regulations What do you need to know?.

Barracuda Message Archiver

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:

Security Controls – What Works

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Providing customers with an end-to-end.

…your guide through terrain

Developing a Records & Information Retention & Disposition Program:

1 © Copyright 2008 EMC Corporation. All rights reserved. Litigation Response Planning: eDiscovery Best Practices Stephen O’Leary Sr. eDiscovery and Compliance.

1 E-Discovery Changes to Federal Rules of Civil Procedure Concerning Discovery of Electronically Stored Information (ESI) Effective Date: 12/01/2006 October,

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Evolving IT Framework Standards (Compliance and IT)

Electronic Records Management: What Management Needs to Know May 2009.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

GRC - Governance, Risk MANAGEMENT, and Compliance

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Roles and Responsibilities

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Eliza de Guzman HTM 520 Health Information Exchange.

Archiving and Record Retention Service Cammy Webster Assistant Director - CSD DIS Jan 23, 2007.

FDA Public Meeting on Electronic Records and Signatures June 11, 2004 Presentation of the Industry Coalition on 21CFR Part 11 Alan Goldhammer, PhD Chair.

Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture b This material (Comp7_Unit7b) was developed by.

ILTA – Insight 2007 E-Disclosure --Preparing for Compliance-- Moderator: Sally Gonzalez, Director, Navigant Consulting, Inc. Panelists: Oz Benamram, Director.

Working with HIT Systems

Information and Records Management INFM 718X/LBSC 708X Seminar on E-Discovery.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

DATA IT Senate Data Governance Membership IT Senate Data Governance Committee Membership Annie Burgad, Senior Programmer, Central IT Julie Cannon, Director.

CIBC Global Services © 2006, Echoworx Corporation Ubiquity of Security Compliance and Content Management Stephen Dodd Director – Enterprise Accounts.

Compliance August 18, Agenda Outline Status Draft of Answers.

Coding Compliance Components Writing Custom Policies for Auditing, Expiration and More Jason Morrill Program Manager Windows SharePoint Services.

Hosted by Panel Discussion: “Regulatory compliance -- The effect on information management and the storage industry” Moderator: Peter Gerr, senior research.

Enterprise Archiving, Retention and Discovery System Jim Albert Deputy Director Department of Information Services April 19 th 2007.

Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

Information Security tools for records managers Frank Rankin.

Accurate  Consistent  Compliant Contact: i4i the structured content company the structured content company.

INTRODUCTION  netCORE offers 360 degree digital communication solutions Messaging and Mobility  Pioneers in Linux based mailing solution and catering.

CLOUD VIRTUALIZATION MLArchiver for vCloud Air Archiving | eDiscovery | Records Management | Analytics Stephen Catanzano August.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.

CLOUD VIRTUALIZATION MLArchiver for vCloud Air Archiving | eDiscovery | Records Management | Analytics Stephen Catanzano August.

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

Data Minimization Framework

Microsoft 365 Get help with regulatory compliance

Proactive Information Management and eDiscovery

I have many checklists: how do I get started with cyber security?

Final HIPAA Security Rule

HIPAA Security Standards Final Rule

Drew Hunt Network Security Analyst Valley Medical Center

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

IUC Records Retention Tool: Zasio’s Versatile Retention

Introduction to the PACS Security

Presentation transcript:

STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc.

Agenda Anticipate the impact of future compliance requirements Get agreement on policies & processes Leverage best practices & standards Link compliance with ILM to minimize risks & costs

Anticipate the impact of future compliance requirements Policy drivers: regulatory compliance, litigation readiness, stakeholder expectations Anticipate changes and new requirements, by understanding these drivers Strategy: Understand the common policy goals that drive regulatory activity – and the common technical capabilities that enable organizations to comply

Policy goals drive archiving goals Operational needs End-user productivity Customer service levels Corporate IP protection Litigation readiness Liabilities and risks Discovery costs Regulatory compliance Laws Regulations Standards Guidelines Archiving goals Retention Security Efficiency

Foundations of compliance & ILM Records management Archiving Record definition Identification Classification Index & search Storage management Media Migration Cost Retention Retrieval Disposition Security Integrity Confidentiality Accessibility What to save How to save it

Archiving goals and capabilities Admini- strative TechnicalPhysical Admin. retention Technical retention Admin. efficiency Admin. security Physical retention Technical security Physical security Technical efficiency Physical efficiency Security goals Integrity Confidentiality (privacy) Availability (transparency) Retention goals Scope (completeness) Duration Efficiency goals Service levels Cost reduction

Example: Technical security capabilities 45 CFR Subpart C Security Standards for the Protection of Electronic Protected Health Information Technical safeguards (a) Access control. Implement technical policies and procedures... to allow access only to those persons or software programs … (b) Audit controls. … (d) Person or entity authentication.. (e) Transmission security.... (e)(2)(ii) Encryption … HIPAA security rule

Get agreement on policies & processes AssessPolicyArchitectDeployManage Response to change Ongoing operation 123 Compliance initiative: Process steps

Step one: Assessment Regulatory compliance Litigation readiness Stakeholder expectations 1

Regulatory compliance Data Protection Act (UK) and similar laws implementing EU Directives GMP Directive (EU) Basel II ISO 9000 Europe: United States: Global: SecuritiesBanking Insurance Health insurance Health care Medical devices Financial services Health servicesLife sciences Drugs Sarbanes-Oxley Act Gramm-Leach-Bliley Act HIPAA21 CFR 11, GxP

Litigation readiness Discovery requested by one party Result review Deliver response To the court First internal awareness Discovery request Court order issued Issue internal retention hold Search, Query Archive DB User directory Discovery depends on effective archiving

Not sure 42% Other 8% Preserving all and IM content for long periods is least risky: 29% Enterprise views toward and IM archiving Deleting all and IM content on a regular basis is least risky: 21% Source: Osterman Research

Stakeholder expectations Operational perspectives Application perspectives Legal perspectives Technology perspectives  CEO  CFO  Records mgr  Compliance Officer  Storage admin  System admin  CIO  End user  Application admin  Legal counsel

Step two: Policy development Save almost nothing Selective deletion Selective retention Save nearly everything IMPACTSPOLICY CHOICE Example – Retention scope 2 Regulatory compliance Litigation readiness Stakeholder expectations

Step two: Policy development (2) Example – Retention periods Many, content-based Few, organization-based One for all IMPACTSPOLICY CHOICE Regulatory compliance Litigation readiness Stakeholder expectations

Step three: Define architecture and processes Provide required and recommended capabilities for retention and security Use technology to enable cost-effective retention, storage and migration over lifecycle Start with point solutions and information silos if needed, but move toward an integrated ILM architecture as technology evolves 3

Leverage best practices & standards Example 1: HIPAA Security Rule Example 2: Sarbanes-Oxley Act Example 3: DoD Standard

Example 1: HIPAA

Example 2: Sarbanes-Oxley Act IT Control Objectives for Sarbanes-Oxley IT Governance Institute and SEC refers to the COSO framework Auditors endorse IT control frameworks COBIT ISO/IEC 17799

Example 3: DoD STD C RMAs shall enforce data integrity … C The RMA shall prevent unauthorized access to the repository. C The RMA … shall use identification and authentication … C If the RMA provides a web user interface, it shall provide 128-bit encryption C RMAs shall delete electronic records … in a manner such that the records cannot be … reconstructed. C The RMA … shall provide an audit capability to log the actions, date, time, unique object identifier(s) and user… Records Management Applications

Link compliance with ILM to minimize risks and costs Compliance initiatives can minimize risk by establishing policies and processes for response to new regulations – and for anticipating future regulations and standards Best policy response is commonly to retain more data, for longer retention periods ILM processes and architecture can help reduce storage and management costs, making increased data retention feasible and affordable

TCO example for archiving Hard IT costs Storage hardware Archiving software Operations/IT staff Maintenance Soft costs User productivity Operational costs Potential costs Litigation discovery Increased liability Regulatory discovery Potential penalties $9 $6 $80 Potential $53 $210 $102 Total $4 $0 $19 Soft $40 Save nearly everything intelligently $204 Save nearly everything (primary disk) $3 Save nothing (delete at 30 days) Hard Average costs per user per year POLICY CHOICE

Conclusions Understand common compliance goals and technical capabilities Start with business needs assessment: compliance, litigation and stakeholder requirements Use standards and best practices to guide policies, processes and architecture Define ILM policies and strategies to enable cost-effective implementation

Questions? Ask the Expert Resources searchstorage.techtarget.com/ ateQuestion/0,289624,sid5_tax295552,00.html