Public Company Accounting Reform and Investor Protection Act

Compliance Journal

Subscribe to Compliance Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Compliance Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Compliance Journal Authors: John Katrick, Elizabeth White, Maria C. Horton, Progress Blog, Don MacVittie


SOX & Storage

The ABCs

Because of today's emphasis on stakeholder accountability and changing oversight structures, business management is more answerable than at anytime in the past for assuring the accuracy, protection, and access to, financial and other business transactional information. This is creating a partnership of responsibility between the IT domain and the organization's executive management. Recent actions of lawmakers and industry regulators are hitting hard at recordkeeping practices, with specific requirements for the long-term collection and safeguarding of, and quick access to, reams of vital information of all types. As you are probably aware, the Sarbanes-Oxley (SOX) Act mandates changes in financial and corporate reporting, delineates rules for the retention of documents of all types, and provides stiff penalties for the alteration or destruction of records. The act is far-reaching, applying to securities broker-dealers and all companies listed on the U.S. securities markets.

The SEC is requiring that publicly traded companies with market capitalizations over $75 million meet major SOX compliance directives by November 15th of this year (smaller market cap organizations have until July 15th of 2005 to comply). Failure to meet these deadlines can result in substantial financial penalties for corporations, and/or fines and imprisonment of up to 20 years for CEOs and other corporate officers. In practice, the portions of SOX regulations dealing with the implementation of improved records management and protection processes will fall heavily on IT. In order to achieve compliance, additional investments in storage devices, specialized software, new types of media, and enhanced records management controls will be necessary.

We at GST, as storage solutions specialists, believe we have a responsibility to the business community to depict what we believe are the best storage management options that can lessen the burden and cost of SOX compliance as it relates to the collection, protection, archiving, and validation of enterprise data. Because SOX regulations pertaining to recordkeeping demand that stored data not be altered in any way, solutions more often than not will include a computer storage component. This storage component must be one that can be easily customized for your enterprise environment and is affordable, otherwise it won't be implemented even if it fulfills SOX and other requirements. For every "perp walked" exec that goes to jail on TV, there are others that watch and are not moved by it. Beyond government threats of jail and fines, there needs to be the wherewithall to get there in a reasonable fashion, otherwise there could be wholesale non-compliance.

We believe one storage technology that can bring affordable relief to the SOX landscape is a magnetic recording methodology called Write-once, Read-Many (WORM). How WORM functionality might best be implemented to address evolving storage requirements to meet SOX (and an onslaught of similar regulatory actions) is presented below as the A(Assessment), B (Backup & retention), and C (Compliance) of SOX and storage.

SOX and other regulations outlining a prescription for backup and restore strategies, records archiving, and long-term data retention are planted squarely in the midst of the computer storage industry. So, too, are the associated requirements that data custodianship be of a non-alterable and non-erasable nature, which has affected the type of magnetic storage media used. The requirements to safeguard more data for longer periods, add e-mail and instant messaging under records management control, and to maintain secure duplicate backup data sets off-site means that storage practices at most organizations will need to be modified both in terms of expanded capacities and new capabilities. To comply with the new regulations, all retained records must be indexed and this index must be easily searchable in order to furnish requested data to oversight agencies on demand. Moreover, a new requirement to report all attempts to modify or delete a stored record will require considerable strengthening of processes affecting enterprise-wide electronic recordkeeping Retaining records for extended periods of time (10, 20, or 30 years) presents a technical challenge for ensuring the retrieval of these records, since both storage media and computer hardware used to read and write onto this media is constantly evolving; with tape backup systems being replaced every three to five years to add capacity and newer functionality, it is difficult to imagine that a stack of tape cartridges or optical disks recorded ten to thirty years ago could be read by the current tape or disk hardware. Accomplishing all of this, while at the same time providing for better access, stricter security controls, and detailed record-keeping of actions dealing with backup files, becomes a formidable assignment for the CIO (chief information officer) and is forcing organizations to overhaul their storage policies and develop methods to save records in a more permanent and protected fashion

However, as daunting as this all seems, SOX should not be considered a burden, but rather a benefit. While compliance with this legislation may repurpose time and money away from other IT projects, upgrading the internal controls over vital recordkeeping should be an ongoing corporate mission and a high-priority, with or without SOX deadlines looming in the not-to-distant future. At GST, we believe each organization must conduct an enterprise-wide assessment of its storage management landscape as the first step in determining what must be done to meet mandated compliance standards in a way that adds value to the rest of the organization.

For those organizations that have already focused on governance, the assessment will show that SOX compliance won't be a disruptive element, as many of its directives would have already been implemented to some degree. For others, the assessment will be a wakeup call and an opportunity to upgrade storage and backup methodologies, disaster recovery practices, and storage management processes, which have been neglected and fallen behind current practices after years of lean budgets and staff cutbacks.

(B)ack Up and Retention
Backup, duplicate, and archive everything! OK, maybe not everything, but close. All employee individual workstations must now be an intricate part of enterprise backup processes, including all e-mail and instant messaging communications, which must be treated as business records. Long-term record-retention policies and the guarantee of the integrity of those records (with verifiable audit trails) plus swift access to all retained data by government agencies and industry overseers are important keys to SOX compliance.

SOX doesn't specify the use of a specific storage technology to accomplish its criteria for long-term data retention and availability on tamper-proof media with verifiable audit trails. WORM magnetic tape functionality, built into new WORM-enabled drives and WORM data cartridges, is the most sensible solution in many cases. WORM identifies a storage technology that includes built-in protection against writing over or erasing any data stored on the media. If additional data or revisions are recorded, they are appended at the end of the existing records on the media, thus creating a continuous audit trail of record additions, changes and deletions. WORM tape drives and cartridges provide the best mix of high performance, high capacity, unalterable backup and long-term retention of data at an affordable cost. WORM functionality is also available on optical disk drives and magnetic hard drives, however both of these options have major drawbacks today. Optical disk's technical properties restrict capacity, performance (speed), and come with a high cost-per-megabyte (million bytes) of stored data. Magnetic disk drives (hard drives) are impractical in terms of easy removal for remote long-term storage due to their lack of portability. WORM tape media provides higher capacities of up to 1.3 terabytes (trillion bytes) and increased performance of up to 280 gigabytes (billion bytes) an hour at a lower cost-per-MB than either of the other options.

Sony Electronics incorporated WORM functionality into their Super-AIT (SAIT) and AIT (Advanced Tape Technology) tape drives. These WORM drives operate with special versions of SAIT and AIT data cartridges. The WORM option is added to the AIT family of tape drives through firmware stored in the WORM data cartridge's Remote Memory-in-Cassette chip making these drives multifunctional ... Sony's SAIT drives accept either WORM or standard (writable/erasable) tape media.

By incorporating WORM functionality into a tape backup solution, we gain the time-tested benefits of tape which are capacity and performance with native capacities up to 500 GB with 30 MB/sec transfer rates (1.3TB capacity with a 78MB/sec transfer rate using 2.6:1 compression). Long-term durability (estimated shelf-life of WORM media is over 30 years), portability (tape cartridges can be easily removed and stored offsite), and the lowest cost of ownership of any WORM media (well below $1/GB) lead us to conclude that tape backup systems with WORM functionality will be the most prevalent SOX-compliant backup technology. Since WORM media protects against over-writes, revisions, or erasing of the stored data. long-term safe storage of retained records is ensured so long as the tapes are protected from environmental damage. On all storage media with WORM, the functionality provides advanced search techniques for easy and quick indexing and access to all stored data. Consequently, WORM meets these records management requirements of SOX and other SEC regulations.

The next challenge is to ensure a fail-safe backup process that won't fail in the middle, and to get the backup media offsite as quickly as possible. GST developed Server-Transparent Media DuplicationTM (SMTDTM) which is a process to ensure that backup media creates two identical backup sets during the backup operation with no extra workload placed on the server. This SMTD, commonly called mirrored backup, delivers identical sets of backup media on GST's dual-drive and mirrored library backup products.

GST's Mirrored Backup Technology using SMTDTM permits identical sets of backup tapes to be created simultaneously during the backup operation. Following the backup, one backup set is retained on-site for any rapid restores that are needed, while the second identical set is safely removed to a secure remote site that can either be a disaster-proof vault or a Disaster Recovery Center.

Another unique capability of mirrored backup configuration (all of which use two tape drives for writing backup tapes or for reading them during a backup restore process) is called Fail-Safe Backup/Restore. During a Mirrored Backup, if a drive fails for any reason, the tape controller attached to both drives continues to write data to the second drive, completing the backup (or restore) process. You can then go off-line to make the duplicate set of tapes needed for the DR center.

Once duplicate data sets are created on WORM media, the recorded data cannot be altered or erased due to the write-once functionality of the cartridges. The AIT and SAIT WORM media will last for 30 years when stored in accordance with Federal Guidelines and with practices stated by the maker of the WORM media used (Sony Electronics in the case of AIT and SAIT tape). Both the AIT and SAIT drives are able to read and write earlier generations of the tape technology (called backward compatible) and write data that future generations of the same tape technology will be able to read (forward compatibility). Thus, the data is guaranteed retrievable after long-term retention, even as new generations of the tape technologies (AIT and SAIT) begin to replace older generations. This meets the SOX requirements that multiple copies of the data be maintained in their original condition for extended time periods and be available to regulators on demand. But all of this only satisfies the part of the records management compliance guidelines pertaining to how data is written to storage media. Another part of SOX compliance is assuring that the physical security of the media be safeguarded. The best way to protect against physical loss or unauthorized removal is to place duplicate copies of records on separate media and place the media in separate locations. Furthermore, access to the location where the media is stored must be tightly controlled. SOX requires that any attempt to alter or erase a stored record be documented. With controls over access, procedures can be put into place to track by whom and when files are accessed and any attempts to alter or remove data on the stored media, and to record unauthorized removal or attempts to remove the media itself from the storage area.

Other smart steps to take that ensure compliance with SOX records retention regulations and avoid the risk of incurring stiff penalties, are to select tape drives and media with the highest reliability ratings. Both MTBF (Mean Time Between Failures) and Head Life Expectancy are longstanding storage industry measurements of drive reliability. For example, the SAIT-1 drives used in GST's tape subsystems and libraries have an MTBF of 500,000 hours and a magnetic head life expectancy of 50,000 hours. Likewise, a good reliability measurement for media is the number of passes a cartridge can endure under heavy usage. The WORM SAIT-1 media is certified for error-free operation for up to 30,000 end-to-end passes.

Sony's WORM drives support both traditional rewritable cartridges and WORM media, facilitating storage policies that dictate when WORM media is to be used and when rewritable cartridges can be used. "Tape continues to be a desirable format for archival storage, and the addition of write-once solutions allows companies to economically meet their storage needs as well as comply with mandates for record storing," noted Fara Yale, Research Vice President at Gartner Dataquest. The SAIT and AIT WORM tape drives and media are designed to meet the SEC's regulatory safety, security, and integrity requirements for electronic storage. Use of WORM media eliminates accidental and intentional erasure of data, enables time and date authentication, and facilitates quick search and retrieval of archived files (most files can be retrieved in about a minute) to support regulatory audits. The managing of the backup process and archival media is greatly simplified and controls and security strengthened by selecting a tape backup solution with a high capacity. For many sites, today's high-capacity tape cartridges (up to 1.3 TB of data when using data compression) permit an entire daily backup to fit on a single data cartridge, making it easy to ship that single cartridge to a Disaster Recovery or remote vaulting site each day and simplifying cataloging, labeling, storing retrieving, and media management.

The Sarbanes-Oxley Act is designed to protect stakeholders -- those with risk tied to an enterprise's performance, which most often includes the organization's shareholders, employees, partners, and customers. Shareholders expect an accurate picture of performance to be delivered in a timely manner. Employees expect continuous operations. Partners, such as financial institutions, require reliable financial reporting and accounting processes. Strategic allies expect delivery of service/products in accordance with contractual agreements. All of these stakeholders are at risk when an organization's financial reporting, controls, and business processes are suspect, inaccurate, or unverifiable. All are served by Sarbanes-Oxley compliance along with associated regulations and oversight organizations.

SOX, however, also provides benefits to the complying organization. The corporate responsibility and increased disclosure directives demand that time, energy, and resources are used to upgrade records management, which often means IT operations. Because storage upgrades of software and devices may have to be installed, and improvements made to backup and archival processes to meet compliance requirements, IT operations will be improving business productivity along with financial and accounting reporting. Everyone benefits.

Once a SOX compliance plan for records backup and retention is developed and implemented, rehearsals and reviews on a regular basis are necessary to ensure that plans are continuing to meet compliance objectives. Fully working and tested recordkeeping procedures and compliance plans are the antidote for protecting business processes against obsolete practices and non-compliance leading to stiff fines and even jail time.

More Stories By David Breisacher

David Breisacher is CEO/Chairman at GST, Inc. GST engineers,
manufactures and markets tape backup and recovery solutions that
include single and dual-drives, autoloaders and tape libraries with a
variety of currently used tape technologies including AIT and SAIT, the
only current tape technologies with WORM functionality. In addition to
founding GST, David has founded several other successful computer
companies, including BCC Technologies, a manufacturer of eServer disk,
tape and memory devices. A visionary for the storage industry since the
early 90s, David's market insights and predictions guide the research
conducted at GST.

Comments (1) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Most Recent Comments
Randy Cecrle 02/07/05 03:44:39 PM EST

I would suggest that there is alternatives to WORM and so are the major database vendors like Oracle.

Ask Oracle whether they believe their Information Life Cycle management strategy can provide the same benefits, plus reduce the migration costs, because migration is just upgrading the database.

Also, do not forget that it is just not the media, but it is also the object type. Can the PDF, JPG, etc. be read 50 years from now in the version it was written to? This is more important than the media.