storage management/ executive: managing a compliant infrastructure processes and procedures mike...
TRANSCRIPT
![Page 1: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/1.jpg)
STORAGE MANAGEMENT/EXECUTIVE:
Managing a Compliant Infrastructure
Processes and Procedures
Mike CaseyPrincipal AnalystContoural Inc.
![Page 2: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/2.jpg)
Agenda
Anticipate the impact of future compliance
requirements
Get agreement on policies & processes
Leverage best practices & standards
Link compliance with ILM to minimize risks & costs
![Page 3: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/3.jpg)
Anticipate the impact of future compliance requirements
Policy drivers: regulatory compliance, litigation readiness, stakeholder expectations
Anticipate changes and new requirements, by understanding these drivers
Strategy: Understand the common policy goals that drive regulatory activity – and the common technical capabilities that enable organizations to comply
![Page 4: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/4.jpg)
Policy goals drive archiving goals
Operational needs• End-user productivity• Customer service levels • Corporate IP protection
Litigation readiness• Liabilities and risks • Discovery costs
Regulatory compliance• Laws• Regulations• Standards• Guidelines
Archiving goals
• Retention
• Security
• Efficiency
![Page 5: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/5.jpg)
Foundations of compliance & ILMRecords management Archiving
Record definition• Identification • Classification• Index & search
Storagemanagement• Media • Migration • Cost
Retention • Retrieval• Disposition
Security • Integrity • Confidentiality• Accessibility
What to save How to save it
![Page 6: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/6.jpg)
Archiving goals and capabilities
Admini-
strative
Technical Physical
Admin. retention
Technicalretention
Admin. efficiency
Admin. security
Physicalretention
Technicalsecurity
Physicalsecurity
Technicalefficiency
Physicalefficiency
Security goals• Integrity• Confidentiality (privacy)• Availability (transparency)
Retention goals• Scope (completeness)• Duration
Efficiency goals• Service levels• Cost reduction
![Page 7: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/7.jpg)
Example: Technical security capabilities
45 CFR 164 -- Subpart CSecurity Standards for the Protection of Electronic Protected Health Information
164.312 Technical safeguards•(a) Access control. Implement technical policies and procedures... to allow access only to those persons or software programs …
•(b) Audit controls. …•(d) Person or entity authentication..•(e) Transmission security. ... • (e)(2)(ii) Encryption …
HIPAA security rule
SecurityTechnical capabilitiesAuthenticationAccess controlsAudit logsBackup & recoveryMedia controlsData permanenceE-signaturesEncryptionExpungement
![Page 8: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/8.jpg)
Get agreement on policies & processes
Assess Policy Architect Deploy Manage
Response to change Ongoing operation
1 2 3
Compliance initiative: Process steps
![Page 9: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/9.jpg)
Step one: Assessment
Regulatory compliance
Litigation readiness
Stakeholder expectations
1
![Page 10: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/10.jpg)
Regulatory compliance
Data Protection Act (UK) and similar laws implementing EU Directives
GMP Directive (EU)
Basel II ISO 9000
Europe:
United States:
Global:
Securities Banking InsuranceHealth
insuranceHealthcare
Medicaldevices
Financial services Health services Life sciences
Drugs
Sarbanes-Oxley Act
Gramm-Leach-Bliley Act HIPAA 21 CFR 11, GxP
![Page 11: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/11.jpg)
Litigation readinessDiscoveryrequested
by one party
Resultreview
Deliverresponse
To thecourt
Firstinternal
awareness
Discoveryrequest
Courtorder
issued
Issueinternal
retention hold
Search, Query
ArchiveDB
Userdirectory
Discovery depends oneffective archiving
![Page 12: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/12.jpg)
Other8%
Not sure42%
Preserving all email and IM content for long periods is least
risky 29%
Deleting all email and IM content on a
regular basis is least risky21%
Not sure
42%
Other
8%
Preserving all e-mail and IM
content for long periods is least
risky: 29%
Enterprise views toward e-mail and IM archiving
Deleting all e-mail and IM content on a regular basis is least risky: 21%
Source: Osterman Research
![Page 13: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/13.jpg)
Stakeholder expectations
Operational perspectives
Application perspectives
Legal perspectives
Technology perspectives
CEO CFO Records mgr Compliance
Officer
Storage admin
System admin
CIO
End user Application
admin
Legal counsel
![Page 14: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/14.jpg)
Step two: Policy development
Save almost nothing
Selective deletion
Selective retention
Save nearly everything
IMPACTSPOLICY CHOICE
Example – Retention scope
2
Regulatory compliance
Litigationreadiness
Stakeholderexpectations
![Page 15: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/15.jpg)
Step two: Policy development (2)
Example – Retention periods
Many, content-based
Few, organization-based
One for all
IMPACTSPOLICY CHOICE
Regulatory compliance
Litigationreadiness
Stakeholderexpectations
![Page 16: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/16.jpg)
Step three: Define architecture and processes
Provide required and recommended capabilities
for retention and security
Use technology to enable cost-effective
retention, storage and migration over lifecycle
Start with point solutions and information silos if
needed, but move toward an integrated ILM
architecture as technology evolves
3
![Page 17: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/17.jpg)
Leverage best practices & standards
Example 1: HIPAA Security Rule
Example 2: Sarbanes-Oxley Act
Example 3: DoD 5015.2 Standard
![Page 18: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/18.jpg)
Example 1: HIPAA
![Page 19: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/19.jpg)
Example 2: Sarbanes-Oxley Act
IT Control Objectives for Sarbanes-Oxley IT Governance Institutewww.itgi.org and www.isaca.org
SEC refers to the
COSO framework
Auditors endorse
IT control frameworks
• COBIT
• ISO/IEC 17799
![Page 20: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/20.jpg)
Example 3: DoD 5015.2-STD
Securitytechnical capabilitiesAuthenticationAccess controlsAudit logsBackup & recoveryMedia controlsData permanenceE-signaturesEncryptionExpungement
•C2.2.3.23. RMAs shall enforce data integrity …
•C2.2.5.2. The RMA shall prevent unauthorized access to the repository.
•C2.2.7.1. The RMA … shall use identification and authentication …
•C2.2.7.4. If the RMA provides a web user interface, it shall provide 128-bit encryption
•C2.2.6.6.3. RMAs shall delete electronic records … in a manner such that the records cannot be … reconstructed.
•C2.2.8.1. The RMA … shall provide an audit capability to log the actions, date, time, unique object identifier(s) and user…
Records Management Applications
![Page 21: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/21.jpg)
Link compliance with ILM to minimize risks and costs
Compliance initiatives can minimize risk by establishing
policies and processes for response to new regulations –
and for anticipating future regulations and standards
Best policy response is commonly to retain more data, for
longer retention periods
ILM processes and architecture can help reduce storage
and management costs, making increased data retention
feasible and affordable
![Page 22: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/22.jpg)
TCO example for e-mail archiving
Hard IT costs• Storage hardware• Archiving software• Operations/IT staff• MaintenanceSoft costs• User productivity• Operational costsPotential costs• Litigation discovery• Increased liability• Regulatory discovery• Potential penalties
$9
$6
$80Potential
$53
$210
$102Total
$4
$0
$19Soft
$40Save nearly
everything
intelligently
$204Save nearly
everything (primary
disk)
$3Save nothing
(delete at 30 days)
Hard
Average costs per e-mail user per year
POLICY CHOICE
![Page 23: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/23.jpg)
Conclusions
Understand common compliance goals and technical
capabilities
Start with business needs assessment: compliance,
litigation and stakeholder requirements
Use standards and best practices to guide policies,
processes and architecture
Define ILM policies and strategies to enable cost-effective
implementation
![Page 24: STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc](https://reader036.vdocument.in/reader036/viewer/2022062422/56649e755503460f94b75e4c/html5/thumbnails/24.jpg)
Questions?
Ask the Expert
Resources
• www.searchstorage.com
• www.contoural.com
• www.graycary.com
• www.ostermanresearch.com
searchstorage.techtarget.com/
ateQuestion/0,289624,sid5_tax295552,00.html