Does IT Have to Worry about Compliance? (You Bet)

"Compliance" is a seriously big topic.

 Even where we narrow compliance to IT and electronically storedinformation (ESI), it's still complex. Compliance doesn't just impact email; it also concerns database records, unstructured archives, and storage systems galore.


I see IT's compliance responsibility in 3 broad areas:

 Manage retention periodsThis concern has the broadest scope of the three. To manage compliantretention periods, IT must be aware of both regulatory and industry policiessuch as SOX or PCI, and corporate policy/internal governance such as deletingall emails after 60 days. Note that the two are not necessarily in sync, and IThas a responsibility for checking corporate policy against regulations. I'm notsuggesting that IT turn into the corporate compliance office, but corporatedeletion policies must be absolutely consistent, and must still be incompliance with governmental regulations. Remember Arthur Andersen? They had acorporate deletion policy all right, but amazingly enough only applied it toEnron documents. Whoops.

Managing for retention does get tricky, which is whycompliance software with built-in and customizable hooks into policies is sucha very good plan. For example, eDiscovery vendors StoredIQ and Kazeon bothprovide compliance hooks as part of their GRC (governance, risk and compliance)capabilities. StoredIQ can also manage retention periods. Another vendor with acompliance option for archives is Mimosa.

 Ensure data availability for searches

In terms of compliance, this means that potentially relevantdata must be reasonably searchable in case of investigations. Tape isacceptable as long as IT can locate and search potentially relevant data withina reasonable time period. What constitutes reasonable? FRCP is whittling thatdown from months to weeks. Generally if you keep indexes of what you've got you'llbe all right. Of course, that's saying a lot in some environments. Indexing softwarewill help here. The two vendors I already mentioned index across storage repositories,as does Guidance. So does Index Engines for tape. And of course most ECMs and storagearrays with management features should be able to search their own content for filesmatching metadata and/or content.

If you are thinking that this is a useful feature for eDiscoveryas well as compliance, you're right. Classification technologies often work forboth concerns although it's eDiscovery that gets all the press. Compliance checking for messaging

Configuring the email server to check for compliance is notdifficult, and IT in highly compliant industries should strongly consider doingso. MS Exchange has had these internal tools for years and Exchange Server 2010has some rather nice compliance features. Third party compliance products existfor both Exchange and Domino. For example, a NetApp/Autonomy Zantaz partnershipcan search Domino archives for eDiscovery and compliance.

Messaging concerns go beyond email archives of course,particularly checking outgoing emails for compliance. This can get challenging whenyou are checking not only user-produced emails but also automated messagingfrom third-party applications such as CRMs. In these cases IT can benefit fromlooking to email applications that can check for compliance at the edge insteadof limited to a specific email application. ColdSpark, which BakBone recentlyacquired, is an example of this type of compliant message checking.