Experts offer advice on compliance

By Michele Hope

After having spent recent years bringing their organizations through large IT initiatives such as Y2K and company-wide ERP implementations, IT managers now find themselves navigating the murky and often uncharted waters of regulatory compliance.

Compliance is an umbrella term that covers a growing onslaught of federal and state regulatory legislation that prescribes how companies should store and maintain their data.

A sampling of such legislation enacted over the past few years includes the Sarbanes-Oxley Act (SOA), Health Insurance Portability and Accountability Act (HIPAA), Department of Defense (DoD) directive 5015.2, E-Sign Act, Uniform Electronic Transactions Act (UETA), and the US Patriot Act.

Many regulations impact the data handling efforts of both publicly traded and private organizations, often in regulated industries such as finance, healthcare, life sciences, and government. But, while it's often clear whether or not most companies are mandated to comply with a specific regulation, should compliance efforts stop at just publicly traded companies or vertical industries with direct legislative mandates?

Some experts and IT managers say, "No," and choose to view current legislation as the equivalent of a legal "best practice" for records retention and data handling efforts that will eventually impact a wide swath of corporate America.

"Even if you're a privately held company, at the very least you should be aware of what the impact of these [regulations] is," says Shaun Mahoney, a Citigroup senior storage engineer who evaluates and recommends compliance-related storage solutions for Citigroup's various IT divisions. "You still need to have your own internal security and audit controls. Outside of those, you're also still responsible for maintaining your data."

Some confusion about the potential impact of compliance initiatives likely comes from its ever-broadening definitions. According to compliance expert Randolph Kahn, "Compliance can be anything from comporting with an international ISO standard, or following company policy," he says. Kahn is an author and founder of Kahn Consulting, a management consulting firm that specializes in the legal policy compliance issues of information and information technology.

Peter Gerr, an analyst focusing on storage systems, emerging technologies, and market trends for the Enterprise Storage Group (ESG), also defines compliance to encompass not just federal or industry-specific mandates, but also what he calls "corporately mandated compliance."

Corporately mandated compliance, says Gerr, applies where "organizations may want to implement security or record retention standards for certain types of information assets that are valuable to the company but not required to be retained for federal or industry-specific regulations."

Examples might include an engineering firm that needs to retain its CAD/CAM designs, or a movie production studio that needs to keep a non-erasable, non-rewritable record of its final movie cuts, says Gerr.

So, what does all this mean to IT managers? Most analysts and IT insiders agree it makes sense for executives to educate themselves on compliance issues—regardless of which industry they represent.

The best place to start is often a company's own legal officers or compliance managers. As Kahn says, "Technology people build really great technology, but what you need to do is put the lawyers and the technology people in the same place to ensure the technology is good enough to deal with the compliance issue."

After studying various rulings and consulting with both Citigroup's lawyers and a variety of vendors, Mahoney offers this caveat: "Be as proactive as possible to understand the impact of these regulations. Many of them are very vague."

Mahoney goes on to offer the following advice: "A lot of the vendors offer smoke and mirrors. When they say they have a certified solution, keep in mind that the SEC doesn't certify solutions. I discovered that the actual rulings were very different from what I was hearing from the vendors."

Analyst Gerr concurs: "IT managers should be wary of vendor claims of having a 'compliant solution.' While there are exceptions such as the DoD's 5015.2 regulation—which includes a testing and certification process for vendors—there is no certification for compliance," he says.

Mahoney recommends looking at vendors with established track records that support open standards. He advises a close look at vendors that work together on solutions and claims the product market aimed at Sarbanes-Oxley compliance, for example, is not mature enough today for one vendor to offer an all-encompassing solution.

"There's no one vendor that does everything well in this space," says Mahoney. "I don't see a lot of these solutions maturing enough to meet the Sarbanes-Oxley guidelines in time."

ESG's Gerr agrees that no one solution will likely fit the bill. "It requires partnering, integration, and cooperation between vendors," he says.

Jamie Gruener, a senior analyst with the Yankee Group consulting firm, offers this input when evaluating compliance products: "I would gauge vendors' products based on their technology, support of open standards, ISV support, and professional services. I think you will also see new relationships this year between storage vendors and vertical market specialists who understand the compliance issues of specific vertical industries."

Analysts say that the vendors that are somewhat ahead of the pack in compliance are EMC (for its Centera offering) and Network Appliance (for its NearStore product line). A few analysts have added IBM to the list because of its recently announced compliance offerings, including the integrated TotalStorage Data Retention 450 (see "IBM takes the sting out of compliance," left).

Also gaining new channel awareness are products from software categories such as document management, content management, data archiving, instant message archiving, and policy-based storage resource management (SRM). On this front analysts cite vendors such as Akonix, Arkivio, CommVault, Documentum, FaceTime, FileNet, IXOS, KVS, Legato, and Signiant.

Why so much emphasis on software? For one thing, you need a good way of retaining specific retention periods, says Citigroup's Mahoney. "Companies are going to have to take a hard look at document management solutions and policy-based SRM products. This is also where ILM [information life-cycle management] fits in. You can deploy a solution, but you need to understand your data first."

What else should you look for when evaluating compliance-oriented solutions? According to Mahoney, you need to start thinking about how you will handle data migration issues and traditional product life cycles. For example, if you buy a system on a three-year lease and it's meant to be a compliant system, you need to ask yourself, "How do I move the data to a new system once the lease expires and still maintain that compliant system?"

Michele Hope is president of Data Concepts, a consulting and technical communications firm in Phoenix. She can be reached at michelehope@earthlink.net.

This article was originally published on April 01, 2004