IT is on the forefront of regulatory compliance, but the right hardware, software and policies for compliance can be confusing.
Data loss, theft and other misuse cripples and even destroys businesses, so regulations -- SOX,
What hardware and software are SOX and HIPAA approved?
None. There is no specific SOX-rated server, for example, approved for data center use. Data center regulatory compliance legislation mandates goals, not the path to achieve those goals. Legislation should not specify systems or architectures: Legislators are not particularly tech-savvy, and technologies are always changing.
None of the many major regulations on privacy or financial data dictate 'the right way' for companies to store, access or protect it. IT shops can draw from a vast array of products and policies to meet compliance requirements within the scope of their budgets and existing infrastructure. There are, however, onerous penalties for non-compliance. Organizations collocating or cloud-hosting workloads must verify suitable compliance measures with the provider.
The only real way to measure compliance is to test and routinely audit the safeguards in place for each regulation. When lapses are identified, the team can assess and correct them.
Is it worth moving to a SAN?
It is possible to store compliance data on server-side disks. However, centralized storage, like storage area network (SAN) or network-attached storage (NAS) systems, is almost always preferred. If only some data is regulated, you can mix server-side and centralized storage.
SAN and NAS offer a common storage environment for workload migration and replication in virtualized data centers. Centralized storage is easier to manage and allocate than server-side because no capacity is overlooked or forgotten. Workloads and data are completely replicated, or otherwise protected to secondary -- and often remote -- storage arrays. The IT team can centrally log and audit all storage activity. And centralized storage is easier to secure; physically with locks and logically with encryption.
Will I need to expand storage capacity for audits?
Complying with data regulations may require more storage in the data center because of longer retention mandates or more aggressive archiving and backups. Strong business continuity plans may demand frequent snapshots with replication to one or more remote sites, inevitably driving up total storage.
Simply adding more storage isn't the answer. Storage is costly, and there are ways to reduce demand for it, such as data deduplication and long-term capacity planning. It's important to understand how storage is used and growing over time.
Testing SOX, HIPPA or other compliance readiness
The PCI Data Security Standard (PCI DSS) protects credit and debit card numbers.
The Health Insurance Portability and Accountability Act (HIPAA) protects patient identifiers like social security numbers and the contents of medical records.
The Sarbanes-Oxley Act (SOX) mandates financial disclosures from publicly listed companies.
The Gramm-Leach-Bliley Act (GLBA) protects the privacy of individuals' financial information.
The Patriot Act enables domestic and international surveillance of American citizens and others by the U.S. Department of Justice.
The EU Data Protection law dictates how companies acquire, update, store and use personal data across EU member states.
*Some of these regulations' requirements overlap and some cover the same data.
Regularly assess and audit compliance-related data to conform to regulations. Outside firms offer audit simulations, which test the organization's preparedness and responsiveness. The findings from an impartial perspective can help the business alter and refine compliance efforts. Access and evaluate activity logs, test recovery and restoration methods and verify the availability and integrity of important corporate information. No one method will accomplish this goal.
Compliance is a business effort, not an IT project. IT can help locate, gather and restore or recover data, but regulatory compliance specialists must determine success or failure. The corporate compliance officer (CCO) should set appropriate testing goals and delineate which records to audit in what timeframe. CCOs also provide guidance on the best protocols or methodologies for tests, and how to approach various regulations.
IT can help with data center management tools designed for compliant operations. Tools like Zoho Corp.'s ManageEngine EventLog Analyzer report user logons, logon failures, object (file) access, system events and other details that trace access to sensitive data, which help to document HIPAA security compliance.
Compliance preparations are rarely tested until something goes wrong. Get business leaders and a knowledgeable compliance officer involved to guide goals and set policies. Then, IT can put the proper pieces into place.
This was first published in July 2014