Compliance: Process takes center stage

By Michele Hope

Most IT organizations impacted by the Sarbanes-Oxley Act (SOX) have had more than nine months to work out the kinks in their efforts to comply with SOX Section 404, which went into effect last November. The law applies to US publicly traded companies with market caps exceeding $75 million and requires management to assess, report, and sign off on the effectiveness of their company’s internal controls with regard to financial reporting. Publicly traded small to medium-sized businesses (with market caps less than $75 million) and foreign companies that are listed on US stock exchanges were recently given a breather when the SEC extended the Section 404 compliance deadline to July 15, 2006.

Intended as a means to enforce good corporate governance, rumor has it that SOX compliance practices will ultimately apply to privately held companies as well, including those that anticipate a future acquisition or IPO, and companies seeking venture capital or loans from more-traditional lenders.

A large part of assessing the effectiveness of internal controls associated with SOX falls squarely on the shoulders of IT organizations. In many cases, IT has been required to methodically analyze, document, and assess how well it is running SOX-related processes surrounding application access and security, access to IT resources, and the management and storage of its data.

For storage professionals, the SOX Section 404 spotlight tends to focus more specifically on storage management processes surrounding data security, data access, data protection (backup, recovery, replication, etc.), disaster recovery, and data retention or archiving, according to James Damoulakis, CTO of GlassHouse Technologies, a storage services consulting firm that offers a storage compliance readiness assessment practice for IT organizations.

Damoulakis also notes a focus on storage processes related to change management, storage provisioning, and allocation of disk space. “What auditors are looking for is: a) That you’re making a solid, good faith effort to comply, b) You’ve got some sort of documentation or written policy to support that, and c) You have some type of evidence and reporting mechanism that indicates you are following the policies you’ve documented,” says Damoulakis.

A number of large and small storage vendors have done their best to offer new compliance versions of their products that typically package software and/or hardware as a means to ease IT compliance efforts. According to Damoulakis, solutions involving everything from secondary disk storage to e-mail archiving and disk- and tape-based WORM technology have been touted as compliance or data-retention solutions. And, while many of these have merit, he asserts that most vendors typically can’t offer what IT really needs: the underlying processes to follow that ensure passing a SOX audit.

Enterprise Strategy Group (ESG) analyst Brian Babineau reiterates this point. “Sarbanes-Oxley compliance is not really a technology discussion,” he says. “A documented process is much more important right now than learning whether or not you replicated or used Veritas NetBackup.” Instead, he says, IT organizations would do better to start by defining their corporate governance policies around a given set of regulations, then identifying the processes they need to have in place to support them. Only after this work is done can IT focus on the specific technologies and solutions that could help them support their compliance efforts.

Taking steps toward compliance

ESG’s Babineau says that one area of SOX compliance for storage resource management groups involves conducting regular reviews and audits of areas like system access and security. IT groups can also expect auditors to place special emphasis on audit trails that will help them gain quicker answers regarding the effectiveness of IT processes, including who accessed a specific system or piece of data, and when it was accessed.

“Consistently having that review cycle of the audit trails, the security audit trails, and the event logs should be a main part of everyday business right now,” Babineau advises, noting that this ongoing process should ultimately take no longer than eight hours to perform, maybe less.

Dwayne Bates, a vice president and network services manager at Salem, OR-based West Coast Bank, might beg to differ with that 8-hour estimate. West Coast Bank has several terabytes of digital check images and other bank data stored on two Dell/EMC Clariion networked storage systems, with one housed at its Salem headquarters and the other about 45 miles away at its Wilsonville loan operation center. The bank also plans to replicate data from Salem to Wilsonville and archive it for compliance on an EMC Centera system.

Bates claims that compliance-related process documentation, testing, tracking, and reporting now take up about 50% of his IT team’s time. He says the bank’s internal audit team also comes in periodically, performing spot-checks to see what reports they are running and when they run them, and then compares them against the bank’s documented procedures. The internal audit team also looks carefully at what type of information is being stored on the bank’s SANs.

“What takes most of the time is just your general review of reporting,” Bates explains. “It’s keeping up with the nuance of things changing, like the latest phishing e-mail. You have to continually look at the reporting to see what’s going on. It’s looking to see if you’ve got a problem [and] learning how to avoid having a problem in the first place.”

Testing/auditing storage processes

IT and storage professionals seeking more-specific guidance on how best to demonstrate effectiveness of SOX-related IT processes have turned to company lawyers, compliance officers, and internal and external auditors to help them further define how far they should go in their efforts. Many have also developed their own SOX compliance plans based on a commonly accepted SOX-related IT framework known as COBIT (Control Objectives for Information and related Technology), issued by the IT Governance Institute.

COBIT allows IT groups to systematically assess effectiveness of IT controls, based on a breakdown of 34 distinct IT processes. It also offers suggested testing exercises that can help IT groups conduct ongoing self-audits, monitoring and reporting on the effectiveness of each process.

“Although it’s not a fun experience, I advise picking up a copy of the 100+ page COBIT framework and reading it. Then, work with the law department to make the language a technical reality,” says Randolph Kahn, Esq., founder of Chicago-based Kahn Consulting Inc. and author of Information Nation Warrior.

According to GlassHouse’s Damoulakis, current practice among storage teams involves tracking SOX-related audit trails by mixing manual tracking efforts with more automated reporting, auditing, or SRM tools. He states that current tools available to perform the level of process auditing required are not always up to the challenge, however.

When performing SOX audit reporting around the effectiveness of backup-and-restore activities, for example, Damoulakis sees relatively weak functionality currently available from most backup applications. Instead, most users end up capturing log data themselves and populating Excel spreadsheets, although he notes some have also begun to take advantage of more-specialized backup reporting tools available from vendors such as Aptare, Bocada, and SysDM.

Bocada offers a SOX white paper for storage managers on practices for complying with auditor requests about their organization’s data-protection processes. In the paper, Bocada describes a few customer cases where SOX audits were performed on a large investment bank and an insurance company. For the investment bank’s data-protection efforts, auditors tended to focus on whether the organization could provide auditable trails proving its data was being both backed up and restored successfully. Auditors also asked to see random samples of servers or clients that showed the data had been backed up or could be properly restored.

In the case of the insurance company, the storage management team was faced with SOX-related audits every 30 days, from both internal and external auditors. To help it stay on top of these audits, the team produced its own SOX checklist that tracked and tested the effectiveness of eight backup/restore processes. These included how they secure and authorize access to backup tools and physical backup media, the steps they follow to perform automated backups, how they performed restore requests via the company’s in-house incident management system, and the specific process followed for backing up new or changed data. The team also documented the process it followed to identify and resolve incomplete or failed backup jobs, and the quarterly backup audits it performed to ensure all servers were being backed up regularly.

Transforming IT habits

Munder Capital Management, a registered investment advisory firm based in Birmingham, MI, has had to make a number of IT concessions to comply with SOX and other SEC-related legislation. According to Mike Dufek, Munder’s director of information services, the firm spent time upgrading its storage architecture to comply with regulations that required effective recovery of critical client data. Although Munder could have continued to perform restores from backup tapes, the firm decided it wanted more-rapid recovery since it needed to respond to sudden market moves as quickly as possible.

Dufek says the firm ultimately decided on a faster, disk-based network storage architecture from Compellent. Now, using a 23TB SAN at the primary data center and a second, 10TB system at Munder’s remote disaster-recovery site, the investment firm is able to mirror its critical operational and regulated client data either synchronously or asynchronously between the two sites.

While Munder still uses tape copies as a final archive for compliance, Dufek notes that his current recovery process bears no resemblance to the firm’s prior tape-based process. “Before the SAN, we had to rely on tape to do our restoration,” Dufek explains. “It would take anywhere from a day to a week to recover all we had that was deemed critical. Since we moved to the Compellent SAN, 99% of the data we have can be recovered in minutes.” Dufek indicated that he can also use the system to replicate as much as a 40GB data volume in less than 10 minutes.

Dufek says that his team now performs fairly frequent, documented audits and tests of the effectiveness of Munder’s disaster-recovery and replication processes. This is all part of the firm’s effort to demonstrate its ongoing compliance with regulations, says Dufek. Often, the company will use a testing form in Microsoft Excel that indicates a series of points that need to be tested. That file will then be attached as a reference in the firm’s change management database, which also tracks changes made to their IT systems and processes.

When it comes to disaster-recovery testing, Dufek says the company frequently breaks the replication to see if they can bring up the mirror from the off-site disaster-recovery location. While moving the data over is a flawless exercise, he claims the other parts of the tests-such as the steps involved in bringing processes back up-take the most time. This often involves testing against data at the primary site first thing in the morning, getting a baseline, then bringing the system up at the other site, and testing against that baseline. “That tends to be quite intensive,” says Dufek, “but what’s the downside if you don’t do that level of process testing? I don’t think of our compliance efforts as how much more time it takes me than it did before. It’s just become the norm.”

According to Kahn, today’s IT professionals are now faced with transforming themselves from the core task of monitoring data, systems, and the flow of information into a more compliance-centric approach that anticipates the larger implications of their daily activities. “Any technology professional today-tasked with managing a system that will ever be reviewed or called in to question in the context of litigation or auditing-has incentive to review whether or not the security or controls around that piece of technology are sufficient,” says Kahn, noting that this new breed of IT professional will be used to interfacing with business executives and legal professionals as a matter of common practice in doing their job.

Why is there such a strong emphasis on process documentation and ongoing reporting for SOX compliance? It all comes down to proving a good-faith effort toward strong corporate governance, claims Kahn. “Businesses have to have documentary evidence of the good things they do in order to demonstrate to a regulator or court that they are a good corporate citizen. If you document your security processes and can show that the employees follow them, it shows an auditor that not only did you have reasonable policies in place, but also that you’re following those policies.”

Michele Hope is a freelance writer. She can be reached at mhope@thestoragewriter.com.

Fight the urge to buy into the ‘SOX in a BOX’ solution

(excerpted from Information Nation Warrior, by Randolph Kahn and Barclay Blair)

Sarbanes-Oxley compliance requires a new perspective that has more to do with adjusting business and accounting practices than any technology implementation. While there are legitimate reasons for “fear, uncertainty, and doubt” around SOX, be wary of software products with exaggerated claims of solving all of your SOX compliance needs.

Before considering an IT solution to address SOX information management compliance (IMC) issues, ask the following:

  • Does the organization devote the proper resources to managing information? Is there someone like a chief compliance officer who has leverage to ensure requirements are met?
  • Are processes in place to reliably audit and document information security measures to ensure the immutability of company records?
  • Are financial reporting and disclosure methods accurately tracked and audited to back up executive certification of annual and quarterly reports and internal controls?
  • Can existing software be tweaked to handle the organization’s compliance needs, rather than investing in a new software package?

There are situations where new IT solutions may be the only way to address SOX compliance. Real-time reporting to investors or tracking disclosure methods with audit trails for proper documentation, for example, may require investing in new technology.

However, Sarbanes-Oxley impacts your organization, it is important to view technology as one tool in the SOX toolkit, but not to see it as the Swiss Army knife that can do it all. Organizations should pay just as much, if not more, attention to the non-technical means of relieving SOX headaches.

This article was originally published on August 01, 2005