paradox of data storage
DESCRIPTION
Paradox of Data Storage. The Data You Store Can Be Used Against You In A Court of Law. By:Tim Kormos Product Manager LXI Corp. The Life Blood of Business. IT provides the infrastructure that enables business Hardware Network Software Procedures Controls. IT’s Job to Protect Data. - PowerPoint PPT PresentationTRANSCRIPT
Paradox of Data Storage
The Data You Store Can Be Used Against You In A Court of
LawBy: Tim Kormos
Product ManagerLXI Corp.
© Copyright 2004 LXI Corp.
The Life Blood of Business IT provides the infrastructure that
enables business Hardware Network Software Procedures Controls
© Copyright 2004 LXI Corp.
IT’s Job to Protect Data Latest and Greatest Technologies
SAN, NAS High Availability
Software and Hardware
Disaster Recovery Plans
Business Continuity Plans
© Copyright 2004 LXI Corp.
IT’s Responsibility IT manages the infrastructure that
supports business
Businesses depend on the accuracy and availability of their data
Data is one of a companies most important assets and should have appropriate policies and controls relative to it’s value
© Copyright 2004 LXI Corp.
Backup Strategy Backups provide a point-in-time
recovery of critical data
Backups are used to recovery data that has become lost or damaged
Backups make up the largest percentage of planned outages
Backups determine the success or failure of disaster recovery plans
© Copyright 2004 LXI Corp.
Record Retention Strategy The practice of storing documents so
that they can be quickly recovered while maintaining accuracy and integrity of the original document
Applies to electronic documents Email, word docs, spread sheets, instant
messages with customers,…
Should be kept for required time, then destroyed
© Copyright 2004 LXI Corp.
Record Retention Gone Bad Fortune 500 company sued for wrongful
termination
No record retention policy regarding email
Court ordered company to search all 20,000 backup tapes, estimated cost per tape $1,000
© Copyright 2004 LXI Corp.
The Paradox Backups
The more backups available, the more confidence that recovery is assured
More is better
Record retention (Archiving) Store data for only as long as it absolutely
has to be kept, then destroy it Less is better
© Copyright 2004 LXI Corp.
Conflicting Goals Backup policies
Ensure all data is recovered in the event of an outage, regardless of the type of data
Limited number people have access to data
Record Retention policies Ensure that data is kept available for
restoration for only as long as required by regulation
Numerous people have access to data
© Copyright 2004 LXI Corp.
Arguments that Don’t Work
Crown Life Insurance Company Backups don’t count
Wyeth Corp. Cost to recover would be greater than the
settlement Prudential Insurance
Ordered to pay $1 million penalty for “haphazard” data retention policy
Sprint Communications Inappropriate use of data retention policy to
avoid pending legal actions
© Copyright 2004 LXI Corp.
Litigation Reasons for increased use of storage
data in litigation Attorneys are more aware of it’s value Courts recognize it’s importance The sheer volume – all potential evidence
© Copyright 2004 LXI Corp.
Regulatory Intervention Other ways your data storage is
effected
© Copyright 2004 LXI Corp.
New Corporate Governance Federal Regulations
Sarbanes-Oxley Act of 2002 HIPAA – Health Insurance Portability and
Accountability Act of 1996 Gramm-Leach-Bliley Act
IRS Revenue Rulings and Procedures
© Copyright 2004 LXI Corp.
Sarbanes-Oxley Act of 2002 Changes securities regulations,
corporate governance, and auditor regulations
Response to Enron, WorldCom, …
Introduces accountability for fraudulent accounting practices
© Copyright 2004 LXI Corp.
HIPAA
Health Insurance Portability and Accountability Act of 1996
Limits the use and disclosure of individually identifiable health care information
Requires health care entities to establish administrative, physical and technical safeguards
© Copyright 2004 LXI Corp.
Gramm-Leach-Bliley Act Requires financial institutions to take
steps to ensure security and confidentiality of customer’s non-public, personal information
Privacy notice must be “clear and conspicuous”
Must provide opt-out process
© Copyright 2004 LXI Corp.
IRS Rev. Proc. 98-25 Computer records must be
retained in retrievable format, made available to the IRS when requested, along
with documentation and audit trails that provide evidence of authenticity and integrity.
convert old formats to current, accessible by IRS representatives, sequential file version relational database systems and detailed transactions involved in EDI commerce.
© Copyright 2004 LXI Corp.
IRS Rev. Proc. 91-59 Records must be
maintained and be available regardless of the existence of the original software or hardware, and no exceptions are made for deteriorated media.
© Copyright 2004 LXI Corp.
Federal Rules of Civil Procedures
V. Dispositions and Discovery Rule 26: Quick identification and
reproduction of requested information Rule 34: Sets the rules for requesting
data under Rule 26 Firmly establishes how electronic
evidence is to be handled in lawsuits
© Copyright 2004 LXI Corp.
Sobering Consequence Sarbanes-Oxley Act
Holds CEO and CFO personally liable for the accuracy of SEC filings, punishable by fines up to $1 Million and 10 years imprisonment
IRS Individuals willfully failing to supply information
may be fined up to $25,000 Companies can be fined in excess of $100,000
for failure to comply
Courts hand down million dollar penalties for “haphazard” data retention policies
© Copyright 2004 LXI Corp.
The Challenge How can administrators ensure that
both backup and record retention polices, procedures and controls are: implemented make sense work
© Copyright 2004 LXI Corp.
Key Ingredients Information Security Information Administration Media Management Data Integrity
© Copyright 2004 LXI Corp.
Information Security Establish procedures and controls that
protect Confidentiality – who can see the data Integrity – how data is changed Availability – how data is accessed
© Copyright 2004 LXI Corp.
Information Management Ensure all stored electronic records are
True – created from valid processes Complete – all data is captured Authentic – unchanged Accessible – easily retrieved
© Copyright 2004 LXI Corp.
Media Management Implement protections that reasonably
protect against Loss – disaster, overwritten tapes Alteration – deleting or change any part of a
record or document Destruction – intentional or accidental
© Copyright 2004 LXI Corp.
Data Integrity Setup processes, procedures and
technologies that will ensure Easy identification (Indexing) Quick location Simplified recall Accurate restore
For individual files and entire systems
© Copyright 2004 LXI Corp.
Addressing the Paradox Identify a Compliance officer Conduct internal assessment Perform Gap analysis Establish corporate policies relative to
internal and external requirements Build processes with controls Implement technologies that enable the
policies Educate everyone
© Copyright 2004 LXI Corp.
Word about Controls Employees execute controls
Management design controls
Auditors examine controls
Regulators legislate controls
© Copyright 2004 LXI Corp.
Controls Logical point in a process or work flow
that documents the success or failure of the preceding steps
Examples Invoice Shipping manifest Order pick list Change request
© Copyright 2004 LXI Corp.
Control Example
Backupoccurs
PackingList
Tapes putinto container
Container picked up
Control Point
• Reports completed and failed backups
Control Point
• Compares list to actual results
Control Point
• Signed document at pick up
© Copyright 2004 LXI Corp.
Record Retention vs. Backup Data stored for regulatory compliance
should be stored separately from general backups
Backups should not be used for regulatory compliance
Reduce the time backups are kept
© Copyright 2004 LXI Corp.
Benefits of Compliance Justification for new technologies
Centralization Simplification Standardization
Vision of technology that Improves the bottom line Reduces risk Eliminates waste
© Copyright 2004 LXI Corp.
Resources Industry trade organizations Storage Network Industry Association
www.snia.org www.soxtoolkit.com www.cio.com/newrules www.hipaadvisory.com www.irch.com www.findlaw.com