Sarbanes-Oxley: Driving the Storage Compliance Boom
In the first part of a series on regulatory compliance and storage issues, we examine the far-reaching effects of the Sarbanes-Oxley Act.
No government or agency regulation has refocused the energies of IT administrators and storage professionals like the Sarbanes-Oxley Act. Broad in its reach, short on implementation specifics, and bristling with teeth, the act has sent IT departments scrambling to get a handle on the compliant storage of business data almost from its enactment in 2002.
Although the scramble isn't over — it's only now, after the Section 404 deadline, that audits and case law will begin to better establish the SEC's expectations — a few years of experience has given us a measure of the effect the act is having on the practice of data retention and protection.
Sarbanes-Oxley is ultimately an act that mandates financial accountability. It is not a records storage implementation guideline. It doesn't call for the retention of specific record types, nor require specific media, nor specify recovery time objectives for archived records.
"No one knows where the dividing line is between what they must keep and what they don't need to keep," says Al Stuart, chief strategist for IBM compliance and data retention solutions. So companies are taking an inclusive approach, storing everything that might have a bearing on financial reporting, and, in the words of Stuart, "in some cases they are claiming they are keeping everything forever."
Ambitious as that goal may be, Sarbanes-Oxley requires storage of all relevant financial records, and in most cases that includes unstructured and semi-structured data such as e-mail.
"What people didn't realize is that they were doing business via e-mail," says Stuart. "And what woke everyone up was Sarbanes-Oxley."
According to Peter Gerr, senior analyst at Enterprise Strategy Group, e-mail archiving is an important tool for addressing compliance that is "almost universally applicable." In addition to meeting compliance requirements, e-mail archiving, says Gerr, "can also can help reduce IT operational costs associated with managing it."
E-mail drives up the requirements for compliant storage. Archiving specialist Zantaz has had a front-row seat for the growth of this segment, and now manages over 300 TB (5 billion emails) for customers that have chosen to outsource. The volume is impressive, but the issues of managing e-mail are much more than simple capacity and scalability, says Francis Lambert, the company's product partnerships consultant. Adding additional storage devices to the e-mail server may be cheap, says Lambert, but support for retrieval and compliant deletion is a critical component.
"You get what you pay for in terms of managing your e-mail records if you just throw storage at it," says Lambert. In companies subject to Sarbanes-Oxley, e-mails can't simply be deleted to make room under a quota. Lambert adds: "If you're just deleting according to policy that's driven by the budget in the IT department, you're transferring that cost to the legal department."
There are also legal dangers to a simplistic approach to e-mail retention. Many organizations, says Gerr, "have simply thrown a blanket over their entire e-mail infrastructure, and are now retaining everything, because they feel that that insulates them from a potential violation." But in the long run this may do more harm than good, says Gerr, because information maintained that is not required for compliance does not serve the company and has the potential to be evidentiary.
The key to proper e-mail retention, and indeed to many compliance issues, is to define a policy based on business and legal concerns, and then to implement that policy in the IT department. Technology that aids in the policy classification of e-mails, based on content and recipient, can be part of the solution, but ultimately it is the policy itself that drives the implementation. Says Lambert, "Without the policies, the storage people are in a vacuum. It's not their call to determine the legality of data storage."
"Rapid and Current"
Storing large amounts of data is the first challenge of Sarbanes-Oxley; finding critical information within that large amount of data in response to an auditor's inquiry or legal action is the second. Section 409 requires companies to make "rapid and current" disclosures concerning "material changes" to their financial conditions, but there are no hard and fast rules as to the timeliness of response when records are requested.
Here is one area where there is a fairly clear accepted best practice, according to Gerr, who says that 48 hours is a reasonable target when planning for the recovery of records related to Sarbanes-Oxley. As a practical matter, Gerr adds, "rapid recovery will be used as a measurement of the soundness of a company's records management." If you can't locate a record in 48 hours, "the logic goes ... it's clear then that you have poor record management and record control practices, and it then becomes a snowball rolling downhill."
Roy Sanford, EMC's vice president of content addressed storage, points out a reason for locating records even faster than the 48 hour target in the event of legal action. If it takes too long to locate stored data, "discovery time extends to the point where the internal legal counsel is getting it at the same time as the regulatory body, which means there is no time to prepare a defense."
EMC, IBM, and Network Appliance are among those offering compliance-oriented serial ATA (SATA) archival storage systems using WORM (write once, read many) disk. Rapid access, assurance of immutability, and the bottom line have made WORM disk a popular storage medium for Sarbanes-Oxley and other compliance efforts.
"It may be cost-prohibitive and operationally prohibitive to store those records on [optical media], which is why we've seen an explosion in disk-based WORM solutions," says Gerr. "I believe that disk-based WORM or immutable disk will be a feature that you 'need to have' in most primary and secondary storage systems."
Sarbanes-Oxley requires that data integrity be maintained over the retention period. There is an obvious need to block inadvertent or malicious attempts to make changes, and to authenticate stored documents as original. But Section 302's requirement for "internal controls" might be read as a requirement to additionally ensure denial of unauthorized reads of compliance data.
Says Gerr, "there is a notion of public and private information as it relates to a company's financial records, and part of establishing and maintaining internal controls relates to preventing unauthorized views."
A lackadaisical approach to ensuring the confidentiality of data might also be viewed as non-compliant, so data security considerations are also Sarbanes-Oxley compliance considerations.
After the Deadlines
Are we all compliant yet? The Nov. 15, 2004 deadline for Section 404 applied to large enterprises, those with a market capitalization of greater than $75 million. Section 404 compliance is not required for other companies until July 15.
Gerr sees more than differing deadlines separating larger companies from smaller. "After you get beyond the enterprises, from what our research has shown, Sarbanes-Oxley compliance and understanding really falls off the cliff," he says. Gerr adds that smaller companies generally "don't really understand how complying with Sarbanes-Oxley will have a positive benefit on their business."
And Sarbanes-Oxley is good for business, and not just the storage business.
"Sarbanes-Oxley is a good thing to do, because it helps you get your business practices under control and documented," says IBM's Stuart.
Gerr has a similar take: "In complying with Sarbanes-Oxley, you're going to improve your company's record management processes, which will in turn reduce costs, and is likely to allow you to avoid future penalties or litigation."
Editor's note: Future installments of this series will focus on compliance issues facing the healthcare and financial services industries, data security, and future trends.