New Storage Options
for the Small and Medium Business












New Storage Options for the Small and Medium Business

Legislation: Y2K Once More

If Y2K was considered a potential disaster to some and an opportunity for the rest, the same can be said of the wave of new rules and regulations that include:

  • Health Insurance Portability Accountability Act (known as HIPAA)
  • The Sarbanes-Oxley Act of 2002 (often abbreviated as SOX)
  • SEC Rules 17a-3 & 17a-4

While the first is aimed at ensuring the portability of health insurance and preserving and protecting the privacy of patient records, the latter two are a direct response to the accounting scandals of firms like Enron , WorldCom, Tyco, and Global Crossing and the security concerns raised by 9/11.

The Sarbanes-Oxley Act is primarily concerned with accountability and traceability. Corporate officers are required to certify the accuracy of financial statements. Sarbanes-Oxley also mandates the creation of new internal controls for financial reporting. These requirements are far-reaching and certain deadlines have been extended as firms struggle to prepare for eventual compliance (see Table 1). Interpretation is ongoing to establish auditing and reporting standards. The problem is that there are as many interpretations of Sarbanes-Oxley as there are solution providers. Although the language of the legislation states that management must formally document and evaluate the effectiveness of their internal controls, some are interpreting this to mean that all supporting data must be validated electronically (to remove human error). It must be emphasized that physical processes are the issue and expensive, so-called “compliance-in-a-box” solutions (see sidebar) are not mandated.

The new SEC rules are more straightforward and apply to brokerage firms, which must establish written and enforceable data retention policies. The data must be easy to retrieve and stored on non-rewriteable (tamper-proof) media. At first this rule specified optical WORM (Write Once, Read Many) drive technology, but now allows for any solution that fits the requirements. Manufacturers are ready to provide such alternatives as WORM tape drives, DVD, and hard drives. The key requirement of 17a-4 is that the data must be indexed so it can be searched and relevant records retrieved. Long periods of legal discovery will become a thing of the past as archives are quickly searched and pertinent records obtained without personnel having to wade through mountains of raw data.

Title (Business)

Summary

Retention (years)

Notes/Status

HIPAA

(Healthcare)

Mandates security and privacy of electronic medical-related data, with regard to its use, storage, and exchange.

6+

 

The final security rule of HIPAA took effect April 21, 2003, but compliance not required until April 21, 2005.

Sarbanes-Oxley

(Public and some private companies)

  • Expands record-keeping requirements.
  • Companies must define, document, and externally audit all “internal controls,” systems for storing and accessing relevant data for purposes of auditing and reporting.
  • Interpretation ongoing…

5+

Public companies with market capitalization over $75M on accelerated (2004) filing deadline now have until the date of their first annual report after 11/15/2004 to comply with the requirement to identify and test internal financial controls. Other publicly traded companies must comply with Section 404 by the date of their first annual report after 04/15/2005.

SEC 17a-4

(Brokerage)

 

  • Written and enforceable retention policies
  • Storage of data on indelible, non-rewriteable media
  • Searchable index of all stored data
  • Readily retrievable and viewable data
  • Redundant copies of data in multiple locations on different media.

2-6+

The original requirement for WORM (Write Once Read Many) optical drives has been revised to include any media that fits the specification.

Table 1 : Key Rules and Regulations

Text Box: Compliance-in-a-Box? If money is no object, there are solutions available that are designed to proactively steer a firm into compliance, in some cases literally by preventing alteration of data. A “glass house” all-in-one solution that includes hardware and data policy management software starts in the neighborhood of $150,000. The information that firms need to retain for compliance can include e-mail messages, business transactions, contracts, and so on (perhaps even instant messaging). But the data must be categorized to be useful. None of these costly solutions can tag or classify this data for you; someone has to perform an exhaustive review of the data and the applications and processes that generate it. This manual effort is the real issue – there is no shortcut to compliance. In addition to wolfish eyes and ears, these rules and regulations have great big teeth: corporate officers face criminal prosecution for wrongdoing and massive fines can be levied against firms for non-compliance. In 2003, the SEC fined Bank of America $10 million for failure to produce records in a timely manner. Aside from such penalties to be paid, there is the often-underestimated cost of extracting such data in the absence of a coherent policy. In 2000, the White House estimated it would cost as much as $10 million to retrieve 246,000 e-mail messages from 4,925 poorly organized backup tapes (Washington Times: May 4, 2000).

< Previous   Next >

SCO-HP WHITE PAPER
Introduction
Legislation: Y2K Once More
Information Lifecycle Management
The Storage Market
SANs for the Small and Medium Business
Conclusion
References
Appendix: Deploying the MSA1000 on UnixWare
Legal Notice

SCO-HP RELATIONSHIP
SCO-HP Relationship
SCO UNIX and HP
HP - SCO Supported Hardware
HP Homepage