Top Tips for Compliance

From SOX and HIPAA to a deluge of new European regulations, IT managers have more compliance demands than they can handle. Just check out the results of our latest poll. (See Fed Up With Compliance.) At the same time, at least a few claim to be making headway. (See Winning the Compliance Game.)

To see how folk are coping, we at Byte and Switch made the rounds, asking for compliance tips from industry experts and storage managers in the trenches. Below are the results. If you have something to add (or to protest), hit the message board below or email us at [email protected].

Here are the main suggestions we uncovered:

Don't ignore compliance

Tim Hesson, storage manager of Louisville, Kentucky-based Kindred Healthcare, says ITers shouldn't be fooled into thinking they can avoid dealing with compliance just because they're not on the financial side of the business. Hesson, who deals with Sarbanes Oxley and HIPAA in healthcare, says regulators haven't forgotten about data storage, they just haven't quite gotten around to it yet."They've finally found the Fibre cables, now they're going to come into the data center," he says. "They started with financial folks, they've dealt with application folks, and they've already gone through the database administrators. They keep working their way down. They're going to be there. Just know, they are going to come for you."

Start with good advice

With so many rules and regulations on the books and in the works, it's getting harder for companies of any size to stay current. "With multiple state laws and divisions, it can be mind-numbing for companies to keep up with it all," says Bob Mason, CTO of Spanish-language newspaper firm ImpreMedia. His company has found a trusted consultant to filter out the regulations they need to follow and make them aware of any changes.

If a company can't afford a consultant, Mason suggests keeping the focus on federal regulations, which usually encompass the requirements of state laws.

Set up a single IT infrastructureThere is a real danger of IT managers adopting a "silo mentality" in their compliance work, setting up a different IT system for each piece of compliance legislation, sources say. This approach can bring additional cost and complexity into the data center.

Steve Attias, chief information security office of New York Life Insurance, suggests managing compliance as one project rather than starting a new initiative for every rule. "Build programs that will stand up to new regulations."

"You're not going to have a SOX infrastructure, a HIPAA infrastructure, and a Basle II infrastructure," says Jim Kobielus, principal analyst at Current Analysis. "You're going to have one infrastructure that can accommodate all of this."

Investments in identity and access management, security, configuration and change management, and document management, Kobielus says, should be evaluated for their ability to handle multiple compliance requirements, not just one set of requirements.

That said, there's nothing wrong with choosing SOX or HIPAA to be the foundation for future compliance-related IT projects. The idea is to make sure the regulations you choose as the basic model can be adjusted to fit future demands.Pick a point person and a team

Once you know what you have to do, it can help to designate a compliance officer, ideally one capable of addressing both the technology and business impact of the regulations. This compliance officer in turn should assemble a team. Certain individuals should be assigned specific roles, such as monitoring the various compliance processes.

At Byte & Switch's recent StoragePlus event, Karen Johnson, regulatory officer at Indianapolis-based Ascension Health Network, outlined how her team specifically addresses the technology impact of compliance. This, she explained, includes project managers, network engineers with experience on various operating systems, and a "large contingent" of security engineers. (See Hospital Skirts Compliance Meltdown.)

Next Page: Toss the Tape

Toss the tapeThe need to live without tape is demonstrated by the growing list of companies and government agencies that have suffered embarrassing tape snafus. (See The Year in Insecurity, A Tale of Lost Tapes, and NASA Goes to the Dark Side.) Compliance regulations, particularly the new U.S. data privacy laws, are increasing the pressure on firms by imposing stiff penalties for these kinds of breaches. (See NY Data Law Takes Effect.)

"In terms of compliance, it certainly reduces risk if you rely less on tape -- look to avoid it at all costs," explains an IT manager from a financial services firm in the southeastern U.S, who asked not to be named. "A lot of the high-risk data exposures have been backup tapes that have been lost," he warns.

This IT manager explained that his organization has to store email for seven years, after which time the data is destroyed. His group chose an EMC Centerra box over tape for storing this data. (See EMC Growth Continues.) "It doesn't have the expense of tape, or the risks involved in moving tapes from location to location," he explains, though he did not specify how much money he has saved.

Make compliance work for you

Getting your compliance act together can double as a way to organize ILM. According to John Webster, IT's customers for ILM are also the "people managing the company's risk position," such as security officers, compliance officers, corporate attorneys, and auditors. These are the people storage managers can turn to for help with data classification, which in turn can make ILM, and therefore compliance, a lot easier. See Intel Faces ILM Challenge, Users Cite ILM Shortfalls, and Users Self-Destruct on Governance.)To help get things started, Webster suggests, storage managers should examine their firms' existing physical records and use these as a template for ILM. "The idea is that you are going to treat electronic records in the same way that you would physical records," he says. "There are shared security clearances and policies about what people are authorized to see and not authorized to see."

Beyond this, it will be a challenge. This is where forming a dialogue with security officers and corporate attorneys can make the process less painful than some have reported it to be. (See Compliance Remains Elusive Target.)

If necessary, source it out

Some execs believe that outsourcing could be the answer to users' storage compliance woes. A report released last year by Bob Fuller, director of IT at Dresdner Kleinwort Benson, for example, argued that outsourcing could be key to helping financial firms deal with the storage challenges associated with the Markets In Financial Instruments Directive (MiFID), just one a slew of new European regulations. (See EU Compliance Looms for Stateside IT.)

According to the report, released by the MiFID Working Group, the storage process (and associated compliance) could be a good candidate for outsourcing to a specialist third party. A number of end users already rely heavily on outsourced storage, so it may not be such a leap of faith to add compliance to this mix. (See Deutsche Bank Hands IT to IBM and US Dept. of Health Gets SANitized.)The Staff, Byte and Switch