Presentation is loading. Please wait.

Presentation is loading. Please wait.

STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc.

Published byLynn Hodges Modified over 9 years ago

Similar presentations

Presentation on theme: "STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc."— Presentation transcript:

1 STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc.

2 Agenda Anticipate the impact of future compliance requirements Get agreement on policies & processes Leverage best practices & standards Link compliance with ILM to minimize risks & costs

3 Anticipate the impact of future compliance requirements Policy drivers: regulatory compliance, litigation readiness, stakeholder expectations Anticipate changes and new requirements, by understanding these drivers Strategy: Understand the common policy goals that drive regulatory activity – and the common technical capabilities that enable organizations to comply

4 Policy goals drive archiving goals Operational needs End-user productivity Customer service levels Corporate IP protection Litigation readiness Liabilities and risks Discovery costs Regulatory compliance Laws Regulations Standards Guidelines Archiving goals Retention Security Efficiency

5 Foundations of compliance & ILM Records management Archiving Record definition Identification Classification Index & search Storage management Media Migration Cost Retention Retrieval Disposition Security Integrity Confidentiality Accessibility What to save How to save it

6 Archiving goals and capabilities Admini- strative TechnicalPhysical Admin. retention Technical retention Admin. efficiency Admin. security Physical retention Technical security Physical security Technical efficiency Physical efficiency Security goals Integrity Confidentiality (privacy) Availability (transparency) Retention goals Scope (completeness) Duration Efficiency goals Service levels Cost reduction

7 Example: Technical security capabilities 45 CFR 164 -- Subpart C Security Standards for the Protection of Electronic Protected Health Information 164.312 Technical safeguards (a) Access control. Implement technical policies and procedures... to allow access only to those persons or software programs … (b) Audit controls. … (d) Person or entity authentication.. (e) Transmission security.... (e)(2)(ii) Encryption … HIPAA security rule

8 Get agreement on policies & processes AssessPolicyArchitectDeployManage Response to change Ongoing operation 123 Compliance initiative: Process steps

9 Step one: Assessment Regulatory compliance Litigation readiness Stakeholder expectations 1

10 Regulatory compliance Data Protection Act (UK) and similar laws implementing EU Directives GMP Directive (EU) Basel II ISO 9000 Europe: United States: Global: SecuritiesBanking Insurance Health insurance Health care Medical devices Financial services Health servicesLife sciences Drugs Sarbanes-Oxley Act Gramm-Leach-Bliley Act HIPAA21 CFR 11, GxP

11 Litigation readiness Discovery requested by one party Result review Deliver response To the court First internal awareness Discovery request Court order issued Issue internal retention hold Search, Query Archive DB User directory Discovery depends on effective archiving

12 Not sure 42% Other 8% Preserving all e-mail and IM content for long periods is least risky: 29% Enterprise views toward e-mail and IM archiving Deleting all e-mail and IM content on a regular basis is least risky: 21% Source: Osterman Research

13 Stakeholder expectations Operational perspectives Application perspectives Legal perspectives Technology perspectives  CEO  CFO  Records mgr  Compliance Officer  Storage admin  System admin  CIO  End user  Application admin  Legal counsel

14 Step two: Policy development Save almost nothing Selective deletion Selective retention Save nearly everything IMPACTSPOLICY CHOICE Example – Retention scope 2 Regulatory compliance Litigation readiness Stakeholder expectations

15 Step two: Policy development (2) Example – Retention periods Many, content-based Few, organization-based One for all IMPACTSPOLICY CHOICE Regulatory compliance Litigation readiness Stakeholder expectations

16 Step three: Define architecture and processes Provide required and recommended capabilities for retention and security Use technology to enable cost-effective retention, storage and migration over lifecycle Start with point solutions and information silos if needed, but move toward an integrated ILM architecture as technology evolves 3

17 Leverage best practices & standards Example 1: HIPAA Security Rule Example 2: Sarbanes-Oxley Act Example 3: DoD 5015.2 Standard

18 Example 1: HIPAA

19 Example 2: Sarbanes-Oxley Act IT Control Objectives for Sarbanes-Oxley IT Governance Institute www.itgi.org and www.isaca.org SEC refers to the COSO framework Auditors endorse IT control frameworks COBIT ISO/IEC 17799

20 Example 3: DoD 5015.2-STD C2.2.3.23. RMAs shall enforce data integrity … C2.2.5.2. The RMA shall prevent unauthorized access to the repository. C2.2.7.1. The RMA … shall use identification and authentication … C2.2.7.4. If the RMA provides a web user interface, it shall provide 128-bit encryption C2.2.6.6.3. RMAs shall delete electronic records … in a manner such that the records cannot be … reconstructed. C2.2.8.1. The RMA … shall provide an audit capability to log the actions, date, time, unique object identifier(s) and user… Records Management Applications

21 Link compliance with ILM to minimize risks and costs Compliance initiatives can minimize risk by establishing policies and processes for response to new regulations – and for anticipating future regulations and standards Best policy response is commonly to retain more data, for longer retention periods ILM processes and architecture can help reduce storage and management costs, making increased data retention feasible and affordable

22 TCO example for e-mail archiving Hard IT costs Storage hardware Archiving software Operations/IT staff Maintenance Soft costs User productivity Operational costs Potential costs Litigation discovery Increased liability Regulatory discovery Potential penalties $9 $6 $80 Potential $53 $210 $102 Total $4 $0 $19 Soft $40 Save nearly everything intelligently $204 Save nearly everything (primary disk) $3 Save nothing (delete at 30 days) Hard Average costs per e-mail user per year POLICY CHOICE

23 Conclusions Understand common compliance goals and technical capabilities Start with business needs assessment: compliance, litigation and stakeholder requirements Use standards and best practices to guide policies, processes and architecture Define ILM policies and strategies to enable cost-effective implementation

24 Questions? Ask the Expert Resources www.searchstorage.com www.contoural.com www.graycary.com www.ostermanresearch.com searchstorage.techtarget.com/ ateQuestion/0,289624,sid5_tax295552,00.html

Download ppt "STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc."

Similar presentations

© 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP TRIM HP Information Management.

© 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP TRIM HP Information Management.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
Records Management for UW-Madison Employees – An Introduction UW-Madison Records Management UW-Archives & Records Management 2012 Photo courtesy of University.

Records Management for UW-Madison Employees – An Introduction UW-Madison Records Management UW-Archives & Records Management 2012 Photo courtesy of University.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Barracuda Message Archiver

Barracuda Message Archiver
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works

Security Controls – What Works
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Providing customers with an end-to-end.

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Providing customers with an end-to-end.
…your guide through terrain

…your guide through terrain
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
1 © Copyright 2008 EMC Corporation. All rights reserved. Litigation Response Planning: eDiscovery Best Practices Stephen O’Leary Sr. eDiscovery and Compliance.

1 © Copyright 2008 EMC Corporation. All rights reserved. Litigation Response Planning: eDiscovery Best Practices Stephen O’Leary Sr. eDiscovery and Compliance.
1 E-Discovery Changes to Federal Rules of Civil Procedure Concerning Discovery of Electronically Stored Information (ESI) Effective Date: 12/01/2006 October,

1 E-Discovery Changes to Federal Rules of Civil Procedure Concerning Discovery of Electronically Stored Information (ESI) Effective Date: 12/01/2006 October,
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Www.adira.org Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Similar presentations

Ads by Google