Public Company Accounting Reform and Investor Protection Act

Compliance Journal

Subscribe to Compliance Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Compliance Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Compliance Journal Authors: Pat Romanski, Mark Leake, Todd Matters, Mat Rider, Cloud Best Practices Network

Related Topics: Compliance Journal, Sarbanes Oxley on Ulitzer

Compliance Journal: Article

A Storage Management Perspective on Sarbanes Oxley

Compliance Is Not Only the Right Thing to Do, It's Good for You Too

Mention storage in the same breath as Sarbanes Oxley and the immediate reaction of senior management might be to hide the checkbook. Invariably a vendor is making a pitch on how the latest, and greatest, WORM-enabled, opto-magnetic, network replicated gizmo is going to solve all of their problems. SOX has become the latest in a line of vehicles to which vendors have hitched their wagons in order to sell more gear (remember the Y2K buying frenzy?). The sad truth of the matter is that you could have the greatest technology in the world and still miserably fail a compliance audit.

The Storage Manager's Dilemma
Don't get me wrong - vendors are not solely to blame. To quote that great American philosopher Pogo, "We have met the enemy and he is us." Many organizations procrastinated before giving serious consideration to SOX, particularly to Section 404's compliance requirements, and now are scrambling at the last minute to address these issues. Of course, the IT organization ends up bearing the brunt of this and, to a large extent, is unprepared to deal with it. Kept largely in the dark as finance, legal, and compliance departments met with consultants and formulated policies, it is now expected that IT will come through, in the 11th hour, with a miracle to somehow implement systems to meet the regulation's directives. The instinctive reaction within IT may be to pick up the phone and call their vendors to see if anyone has a Sarbanes Oxley solution to sell. And they do - sort of.

Within the IT infrastructure organization much of the burden of SOX is borne by the storage management group, which is responsible for data protection and recovery. Unfortunately, in many environments storage management is hamstrung by a lack of visibility into the requirements of SOX. This is symptomatic of a larger scale problem: lack of visibility into the value of data that IT manages. Most data these days is stored on disks, backed up, and sometimes even replicated. Too often, from a storage management perspective it is treated in the same manner regardless of importance or value. Data often has not been classified to differentiate high value data from low value data. And certainly, the storage manager has no idea of what data is SOX-critical. When given a directive to manage SOX data, in desperation, they turn to their vendors.

The vendors then offer technology components that could potentially be incorporated into a solution to a data retention problem. These include primary, secondary, and tertiary storage systems, robotic tape libraries with WORM tape technology, associated networking components, and software to manage all of these devices. Unfortunately, vendors typically cannot sell storage managers what they really need: a set of management and operational processes that can demonstrably ensure internal storage infrastructure controls are compliant with the specifics of the auditing framework being followed within the environment.

Next: Storage and Section 404...

More Stories By Jim Damoulakis

Jim Damoulakis is CTO of GlassHouse Technologies, the leading independent provider of storage services.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.