paradox of data storage

Post on 08-Jan-2016

22 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

DESCRIPTION

Paradox of Data Storage. The Data You Store Can Be Used Against You In A Court of Law. By:Tim Kormos Product Manager LXI Corp. The Life Blood of Business. IT provides the infrastructure that enables business Hardware Network Software Procedures Controls. IT’s Job to Protect Data. - PowerPoint PPT Presentation

TRANSCRIPT

Paradox of Data Storage

The Data You Store Can Be Used Against You In A Court of

LawBy: Tim Kormos

Product ManagerLXI Corp.

© Copyright 2004 LXI Corp.

The Life Blood of Business IT provides the infrastructure that

enables business Hardware Network Software Procedures Controls

© Copyright 2004 LXI Corp.

IT’s Job to Protect Data Latest and Greatest Technologies

SAN, NAS High Availability

Software and Hardware

Disaster Recovery Plans

Business Continuity Plans

© Copyright 2004 LXI Corp.

IT’s Responsibility IT manages the infrastructure that

supports business

Businesses depend on the accuracy and availability of their data

Data is one of a companies most important assets and should have appropriate policies and controls relative to it’s value

© Copyright 2004 LXI Corp.

Backup Strategy Backups provide a point-in-time

recovery of critical data

Backups are used to recovery data that has become lost or damaged

Backups make up the largest percentage of planned outages

Backups determine the success or failure of disaster recovery plans

© Copyright 2004 LXI Corp.

Record Retention Strategy The practice of storing documents so

that they can be quickly recovered while maintaining accuracy and integrity of the original document

Applies to electronic documents Email, word docs, spread sheets, instant

messages with customers,…

Should be kept for required time, then destroyed

© Copyright 2004 LXI Corp.

Record Retention Gone Bad Fortune 500 company sued for wrongful

termination

No record retention policy regarding email

Court ordered company to search all 20,000 backup tapes, estimated cost per tape $1,000

© Copyright 2004 LXI Corp.

The Paradox Backups

The more backups available, the more confidence that recovery is assured

More is better

Record retention (Archiving) Store data for only as long as it absolutely

has to be kept, then destroy it Less is better

© Copyright 2004 LXI Corp.

Conflicting Goals Backup policies

Ensure all data is recovered in the event of an outage, regardless of the type of data

Limited number people have access to data

Record Retention policies Ensure that data is kept available for

restoration for only as long as required by regulation

Numerous people have access to data

© Copyright 2004 LXI Corp.

Arguments that Don’t Work

Crown Life Insurance Company Backups don’t count

Wyeth Corp. Cost to recover would be greater than the

settlement Prudential Insurance

Ordered to pay $1 million penalty for “haphazard” data retention policy

Sprint Communications Inappropriate use of data retention policy to

avoid pending legal actions

© Copyright 2004 LXI Corp.

Litigation Reasons for increased use of storage

data in litigation Attorneys are more aware of it’s value Courts recognize it’s importance The sheer volume – all potential evidence

© Copyright 2004 LXI Corp.

Regulatory Intervention Other ways your data storage is

effected

© Copyright 2004 LXI Corp.

New Corporate Governance Federal Regulations

Sarbanes-Oxley Act of 2002 HIPAA – Health Insurance Portability and

Accountability Act of 1996 Gramm-Leach-Bliley Act

IRS Revenue Rulings and Procedures

© Copyright 2004 LXI Corp.

Sarbanes-Oxley Act of 2002 Changes securities regulations,

corporate governance, and auditor regulations

Response to Enron, WorldCom, …

Introduces accountability for fraudulent accounting practices

© Copyright 2004 LXI Corp.

HIPAA

Health Insurance Portability and Accountability Act of 1996

Limits the use and disclosure of individually identifiable health care information

Requires health care entities to establish administrative, physical and technical safeguards

© Copyright 2004 LXI Corp.

Gramm-Leach-Bliley Act Requires financial institutions to take

steps to ensure security and confidentiality of customer’s non-public, personal information

Privacy notice must be “clear and conspicuous”

Must provide opt-out process

© Copyright 2004 LXI Corp.

IRS Rev. Proc. 98-25 Computer records must be

retained in retrievable format, made available to the IRS when requested, along

with documentation and audit trails that provide evidence of authenticity and integrity.

convert old formats to current, accessible by IRS representatives, sequential file version relational database systems and detailed transactions involved in EDI commerce.

© Copyright 2004 LXI Corp.

IRS Rev. Proc. 91-59 Records must be

maintained and be available regardless of the existence of the original software or hardware, and no exceptions are made for deteriorated media.

© Copyright 2004 LXI Corp.

Federal Rules of Civil Procedures

V. Dispositions and Discovery Rule 26: Quick identification and

reproduction of requested information Rule 34: Sets the rules for requesting

data under Rule 26 Firmly establishes how electronic

evidence is to be handled in lawsuits

© Copyright 2004 LXI Corp.

Sobering Consequence Sarbanes-Oxley Act

Holds CEO and CFO personally liable for the accuracy of SEC filings, punishable by fines up to $1 Million and 10 years imprisonment

IRS Individuals willfully failing to supply information

may be fined up to $25,000 Companies can be fined in excess of $100,000

for failure to comply

Courts hand down million dollar penalties for “haphazard” data retention policies

© Copyright 2004 LXI Corp.

The Challenge How can administrators ensure that

both backup and record retention polices, procedures and controls are: implemented make sense work

© Copyright 2004 LXI Corp.

Key Ingredients Information Security Information Administration Media Management Data Integrity

© Copyright 2004 LXI Corp.

Information Security Establish procedures and controls that

protect Confidentiality – who can see the data Integrity – how data is changed Availability – how data is accessed

© Copyright 2004 LXI Corp.

Information Management Ensure all stored electronic records are

True – created from valid processes Complete – all data is captured Authentic – unchanged Accessible – easily retrieved

© Copyright 2004 LXI Corp.

Media Management Implement protections that reasonably

protect against Loss – disaster, overwritten tapes Alteration – deleting or change any part of a

record or document Destruction – intentional or accidental

© Copyright 2004 LXI Corp.

Data Integrity Setup processes, procedures and

technologies that will ensure Easy identification (Indexing) Quick location Simplified recall Accurate restore

For individual files and entire systems

© Copyright 2004 LXI Corp.

Addressing the Paradox Identify a Compliance officer Conduct internal assessment Perform Gap analysis Establish corporate policies relative to

internal and external requirements Build processes with controls Implement technologies that enable the

policies Educate everyone

© Copyright 2004 LXI Corp.

Word about Controls Employees execute controls

Management design controls

Auditors examine controls

Regulators legislate controls

© Copyright 2004 LXI Corp.

Controls Logical point in a process or work flow

that documents the success or failure of the preceding steps

Examples Invoice Shipping manifest Order pick list Change request

© Copyright 2004 LXI Corp.

Control Example

Backupoccurs

PackingList

Tapes putinto container

Container picked up

Control Point

• Reports completed and failed backups

Control Point

• Compares list to actual results

Control Point

• Signed document at pick up

© Copyright 2004 LXI Corp.

Record Retention vs. Backup Data stored for regulatory compliance

should be stored separately from general backups

Backups should not be used for regulatory compliance

Reduce the time backups are kept

© Copyright 2004 LXI Corp.

Benefits of Compliance Justification for new technologies

Centralization Simplification Standardization

Vision of technology that Improves the bottom line Reduces risk Eliminates waste

© Copyright 2004 LXI Corp.

Resources Industry trade organizations Storage Network Industry Association

www.snia.org www.soxtoolkit.com www.cio.com/newrules www.hipaadvisory.com www.irch.com www.findlaw.com

© Copyright 2004 LXI Corp.

Questions

Contact information

Tkormos@lxicorp.com

214.260.9005

top related