Public Company Accounting Reform and Investor Protection Act

Compliance Journal

Subscribe to Compliance Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Compliance Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Compliance Journal Authors: John Katrick, Elizabeth White, Maria C. Horton, Progress Blog, Don MacVittie

Related Topics: Compliance Journal, Sarbanes Oxley on Ulitzer

Compliance Journal: Article

A Storage Management Perspective on Sarbanes Oxley

Compliance Is Not Only the Right Thing to Do, It's Good for You Too

Taking Action
From the risk and process assessment, the next step is to take action. In most instances, this means addressing those activities identified as shortcomings in the assessment. This includes developing and documenting standard operating procedures. This is not a trivial activity and will require a significant investment in time from the staff, both with regard to actual development as well as testing, validation and acceptance.

Monitoring and reporting is also a significant challenge. The existing tools and technologies may only provide a subset of the data required, or may be in a form that is difficult to validate from an auditing perspective. For example, most backup applications can report on the success or failure of backup and restore activities, but they typically provide this information from the perspective of individual servers. There is no report detailing the status of a particular application. This mapping of servers to applications is an additional task that needs to be done to determine whether critical SOX-related data is adequately protected.

Finally, the SOX-compliance effort is not a one-time event. Storage environments are highly dynamic. Data growth rates of 50-100% annually are the norm in many organizations. Ensuring that, as additional storage is added, this new data continues to be managed in accordance with SOX policies is an ongoing activity. Strong adherence to and regular review of provisioning, configuration management, and change management activities must become part of the standard operating procedure.

If this effort is approached properly, the outcome will be more than just an infrastructure that can pass an auditing team's inspection. It will result in a storage organization that is better able to respond to users because data value is understood, and a storage organization that is more efficient because it has better documented, more repeatable processes. It will also provide a methodology for focusing technology investments specifically where they are needed and can be justified in terms the business can appreciate.

Compliance is not only the right thing to do, it's good for you too.

More Stories By Jim Damoulakis

Jim Damoulakis is CTO of GlassHouse Technologies, the leading independent provider of storage services.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.