Public Company Accounting Reform and Investor Protection Act

Compliance Journal

Subscribe to Compliance Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Compliance Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Compliance Journal Authors: John Katrick, Elizabeth White, Maria C. Horton, Progress Blog, Don MacVittie

Related Topics: Compliance Journal, Sarbanes Oxley on Ulitzer

Compliance Journal: Article

A Storage Management Perspective on Sarbanes Oxley

Compliance Is Not Only the Right Thing to Do, It's Good for You Too

Translating to Storage
The next step is to applying COSO and COBIT principles to storage infrastructure by initially assessing how well the storage infrastructure is addressing risk, as well as by examining relevant storage processes and making a determination as to whether they are meeting corporate objectives. To do this requires analyzing storage operational processes, mapping these processes to compliance, governance, and business policies, and determining whether requirements are being met.

Unfortunately, neither COSO nor COBIT discusses storage specifically. Thus a translation layer, typically developed by the storage management group, is needed. . For our clients, GlassHouse Technologies provides this translation through a storage-specific best practices framework called the Storage Management Lifecycle. The SML describes the end-to-end operational activities required to effectively and efficiently manage a storage environment. Figure 1 details the highest-level SML domains, which encompass over 200 activities and focus areas. This framework provides a direct mapping to COSO and COBIT that can serve as a guide for focusing storage activities to appropriately support compliance initiatives. The SML provides a necessary link between storage activities and corporate policies.

A reasonable approach to establishing this link is to focus on the COSO Risk Assessment, Control Activities, and Monitoring areas by conducting a risk and process assessment of the storage environment. A minimum list of questions that the assessment must address includes:

  • Does the storage organization have documented processes to address critical areas such as data protection, data security, data availability and recovery?
  • Are these processes being followed?
  • What levels of monitoring and reporting capabilities are in place to provide assurance that critical data is being protected and can be retrieved in accordance to corporate requirements?
Within each of the critical areas, questions should investigate the quality of each of the processes:
  • Do backups complete successfully? Are appropriate measures taken to ensure that media is recoverable? Does the organization test application recoverability (in addition to file recoverability)?
  • Is there a data archiving process in addition to the daily backup process? Is appropriate meta-data information being retained to enable timely retrievability?
  • How effective is the Disaster Recover process? Is ensuring that DR plans are up-to-date considered in the normal change management process? Are regular DR tests performed?
  • How secure is data "at rest"? What processes are in place to ensure that data stored on physical media (disk, tape, or optical) is be protected in accordance with corporate policies?
In our practice, we have adapted the Software Engineering Institute's Capability Maturity Model (CMM) (see Figure 2) to assess SML processes within storage organizations. Generally, in order to meet compliance requirements an organization must be at a minimum maturity level of three for most activities and at a maturity level of four to meet control point requirements for critical tasks.

The assessment produces an analysis detailing which processes are critical to the area under consideration, such as compliance, and specifically identifies the gap between where the organization is today and where it needs to be. The gap analysis then leads to the development of a corrective action plan to address shortcomings in a prioritized fashion that will form the basis for a compliance-readiness roadmap.

The specific storage-related control points and tasks will depend upon specific guidelines identified by the compliance office, auditors, or other appropriate committee, and may vary based on the selected audit framework. Typical control points related to data protection will focus on areas related to the backup-restore and disaster recovery processes, and may include:

  • Media management tracking, including offsite tape handling and inventory
  • Backup success reports for SOX-critical applications
  • Restore logs
  • Disaster recovery planning, including maintenance, review and testing processes
  • Disaster recovery application assignment and review process
  • Data retention policies and verification process
  • Data expiration policies and verification process

Next: Taking Action...

More Stories By Jim Damoulakis

Jim Damoulakis is CTO of GlassHouse Technologies, the leading independent provider of storage services.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.