Manage Learn to apply best practices and optimize your operations.

Part two: Managing corporate records for Sarbanes-Oxley

The gold standard of Sarbanes-Oxley records management is the Department of Defense. Read the standards they have for their data -- you may be able to use them in your planning.

In part one of this series we discussed the Sarbanes-Oxley Act of 2002 and its directive for IT managers to store electronic corporate records. We learned that while Sarbanes-Oxley defines clear rules for storing corporate records, it does not specify the exact manner in which records are to be stored. In this next installment we will review a set of records archive specifications and the benefits of creating a centralized electronic records archive in your organization.

The "gold standard" for enterprise records management applications is the Department of Defense (DoD) Standard 5015.2. DoD 5015.2 is a specification containing a list of functional requirements regarding making records, classifying records, storing and retrieving records and retention features.

DoD 5015.2 requirements summary

1. Making records
- The enterprise records management system (ERM) shall assign a unique record identifier to each record
- The ERM shall store a record with all its attachments
- The ERM shall identify the media type, format and location of all records

2. Classifying records
- The ERM shall provide the capability to organize all records
- The ERM shall provide the capability to assign a record classification code to each record

3. Indexing records
- The ERM shall uniformly create and maintain indexes for all records

4. Storing records
- The ERM shall maintain the integrity of a records and shall not change the format of the record

5. Screening and disposing records
- The ERM shall provide output for viewing, saving and printing of records
- The ERM shall notify authorized individuals of required disposition actions based on both the category and disposition instruction

6. Retrieving records
- The ERM shall provide the capability to request records using the indexes
- The ERM shall present the user a list of records meeting retrieval criteria
- The ERM shall provide record copies in the format in which they are stored

7. Copying records
- The ERM shall never allow modification of the stored record

DoD 5015.2 does not mandate a set of business practices, but defines a set of technical features needed by an ERM system to be considered acceptable for purchase by an agency of the US Defense Department. For our purposes, these technical features serve as a guideline for an ERM system design. The requirements for indexing, classifying, storing and retrieving records are all applicable to Sarbanes-Oxley. Together they account for the safe and secure storage of corporate records.

Benefits of ERM

The failure to comply with Sarbanes-Oxley rules for data retention and data integrity is severe and includes fines, imprisonment or both. These penalties should be avoided at all cost. But for the majority of organizations, the biggest risk related to enterprise records management is the cost of retrieving electronic records related to a legal discovery request. And the electronic records that have caused the most pain (and cost) in the recent years have been e-mail. Even if message servers are routinely backed up to tape, the cost of restoring hundreds of tapes and searching millions of e-mail records can be staggering.

Creating an enterprise data archive to meet legal requirements is an even bigger win for organizations by unlocking the intrinsic value of corporate information for employees. Employees themselves can do "data mining" from the archived records, reducing the need to re-develop or re-create projects, concepts, etc. Management can use data mining to understand the state of negotiations, commitments, status of projects, and much more. These archives offer a historical perspective and in effect capture the institutional memory of the organization. While ERM archives are often created in reaction to new legal requirements, organizations discover they offer even greater value by enabling electronic data mining for end users.

When organizations have shied away from developing enterprise data archives its usually been a result of cost and necessity. Now with Sarbanes-Oxley, the need to archive all corporate business records, including electronic messages are very clear. The good news is, a well designed ERM system that deploys newer technologies, such as low-cost disk storage, can produce a very cost-effective solution. By treating the archive problem primarily as a storage problem, these solutions store, archive, and restore electronic records in a cost-effective manner that at the same time increases the availability of critical business records for legal discovery requests and employee data mining.


It was not long ago that corporate executives gave little thought to records management. The task of archiving business records, forms and reports was a simple function that affected only a handful of employees. Now, with the Sarbanes-Oxley Act of 2002, there is a clear mandate to archive all business records, including electronic records and messages from enterprise applications. A cost-effective enterprise records management system can store electronic records from multiple applications in a common repository that complies with Sarbanes-Oxley regulations and reduces the risk of very expensive legal discovery. By treating the records archive problem as a storage problem, expensive human costs can be reduced in favor of cost-effective storage solutions using the newest storage technologies.

Back to part one

About the author:
Bob Spurzem is a Principal Analyst with Contoural Inc. an independent provider of storage consulting and storage education services. He has been closely involved in the storage industry for the six years as a Product Marketing Manager with leading storage software vendors.

Do you want to see more articles and insights from noted industry observers? Visit the complete Bits & Bytes column library.

Next Steps

Avoiding common e-mail storage policy mistakes

Benefits of a dedicated e-mail archive server

Sarbanes-Oxley reading list

Dig Deeper on IT compliance and governance strategies

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.