Taking on Corporate Compliance

HP has published a good white paper aimed at IT and corporate best practices around eDiscovery and compliance. It's basic knowledge but that's good when it comes to this particular business need. IT (the profession where I got my start) is made up of a lot of very smart people who are not always conversant with eDiscovery and its implications for compliance.

Let me restate and expand on one section that is near and dear to my heart: managing data for compliance and governance. HP makes the point that you really do need an enterprise technology for managing at this level. Granted they're trying to sell you their own package, but they're absolutely right -- IT really does need technologies that can manage data with hooks into compliance and governance policies, and that can do it across storage infrastructures. The technology alone won't do the trick; you also need to allow for services and business policies around governance. But the technology platform you choose will be crucial in getting the job done.

Interdisciplinary teams of IT and Compliance/Legal builds organizational standards for records management and electronic document handling. The teams put policies and procedures in place to support the standards. For example, IT works with Compliance to determine retention periods for data types according to regulatory and/or internal governance standards. It is then IT's responsibility to observe retention periods, using the eDiscovery/Compliance platform technology to automate migration and deletion schedules.

The technology platform should be able to:

-- Hook into regulatory policies. Common regulatory policies should come straight out of the box with the ability to add and customize at will. This allows companies to use pre-existing regulatory and industry compliance hooks and to add custom governance policies.

-- Records management features. The platform should help IT to define data management and control in terms of business functions. For example, IT would be responsible for data availability and retention periods for audit data, but the internal audit department is responsible for setting compliant retention schedules in the first place. In another example, the internal auditing department wants to reserve access to sensitive audit data based on job role. They communicate this to IT who can set role-based access to protected data. The technology platform should aid both workgroups in this process.

--Messaging management. Email is difficult to manage for compliance, to say the least. As with unstructured data retention management, the platform should marry compliant standards with policy-driven email migration and retention.

-- Indexing. The platform should offer sustainable processes around proactively identifying and collecting information. Indexing is the way to go. Questions that IT should ask about indexing features: 1) can the platform index on both metadata and content, 2) can it store metadata/locations and full text, 3) how much storage space do full text indexes require?

There are more questions to ask of course, including how the platform integrates with eDiscovery and data management processes, how automated it is or isn't, and how it keeps current with changing eDiscovery and compliance standards. Heh, no one said this job is easy -- just that it's worth it.

eDiscovery/Compliance/IT technology platforms to consider include StoredIQ, Kazeon, Guidance, Autonomy. And as you probably guessed, HP (HP TRIM) for a focus on interdisciplinary compliance and records management.