Public Company Accounting Reform and Investor Protection Act

Compliance Journal

Subscribe to Compliance Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Compliance Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Compliance Journal Authors: Liz McMillan, Elizabeth White, John Katrick, Maria C. Horton, Progress Blog

Related Topics: Compliance Journal, Sarbanes Oxley on Ulitzer

Compliance Journal: Article

A Storage Management Perspective on Sarbanes Oxley

Compliance Is Not Only the Right Thing to Do, It's Good for You Too

Where to start
The first step for storage management is to develop a basic SOX competency. This could come from several places and should consist of understanding the law itself, its impact on the organization, and specifically what it means for storage management.

To ensure understanding of organizational requirements, storage management must rely on the appropriate corporate functions: compliance, risk management, finance, and legal. More challenging is the process of interpreting corporate policies and guidelines and turning them into practices that are actionable by IT. A data retention directive, for example, can be acted upon and implemented in a number of ways. Determining which is most appropriate is not always easy. It is likely to be the responsibility of IT to help identify such issues and to be in a position to recommend appropriate courses of action, further underscoring that IT can add value to the SOX compliance process by working closely with other corporate functions. The combined effort between the policy makers and the technical experts will ensure that the actions taken will best meet the compliance needs of the organization.

In order to be able to add value, one also must be familiar with the guidelines that auditors are likely to be applying, as well as other related IT frameworks and methodologies. Specifically, for SOX initiatives, storage management should become familiar with COSO and COBIT. For further support, general-purpose IT frameworks such as ITIL (IT Infrastructure Library) may be helpful. Unfortunately none of these guidelines or frameworks specifically addresses storage management. Therefore, it will be necessary to translate policies and directives from business to IT to storage. Let's look at how this might be done.

COSO provides the necessary high-level guidelines for establishing sound corporate governance. The areas of focus defined by COSO include:

  • Control Environment: the so-called "tone at the top", detailing specific corporate standard and objectives
  • Risk Assessment: specifies the relevant areas of concern that must be addressed by governance policies and practices
  • Control Activities: identify the corporate policies, practices, and procedures needed to meet compliance requirements (and, hopefully, business objectives, as well)
  • Information and Communication: details the data required, the frequency of reporting, and the channels of communication required to ensure compliance
  • Monitoring: covers the activities required to oversee and evaluate that the entire process is being followed and that it is meeting the intended requirements.
The first level of translation from COSO-specified corporate guidelines to IT activities and areas of focus can be accomplished through the COBIT framework, from the IT Governance Institute. COBIT identifies 34 areas of IT-specific governance and control organized into four domains:
  • Plan and Organize
  • Acquire and Implement
  • Deliver and Support
  • Monitor and Evaluate
It should be noted that COBIT is not exclusively focused on compliance. It is designed to provide an auditing framework for sound IT management. Therefore COBIT also addresses cost and efficiency concerns that go beyond the scope of compliance but are very much within the scope of business needs.

Next: Translating to Storage...

More Stories By Jim Damoulakis

Jim Damoulakis is CTO of GlassHouse Technologies, the leading independent provider of storage services.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.