Digital Data Archiving - "Nice to Have or Need to Have?" - For ISACA Presentation
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Digital Data Archiving
“Nice to Have or Need to Have?”
For ISACA Presentation
Introduction: AXS-One
- Established over 28 years ago
- AMEX listed for over 10 years
- Prestigious established customer base within Financial
Services, Pharmaceutical, Manufacturing, Transportation,
Logistics and other industries for over 10+ years
2
A glossary of terms …
What is digital data?
dig‧i‧tize dɪdʒ ɪ taɪz/ Pronunciation Key - Show Spelled
Pronunciation[dij-i-tahyz] Pronunciation Key - Show IPA
Pronunciation verb (used with object), -tized, -tiz‧ing. Computers.
1. to convert (data) to digital form for use in a computer.
2. to convert (analogous physical measurements) to digital form.
What is archiving?
ar‧chive Show Spelled Pronunciation[ahr-kahyv] Pronunciation Key -
Show IPA Pronunciation noun, verb, -chived, -chiv‧ing.
1. Usually, archives. documents or records relating to the
activities, business dealings, etc., of a person, family,
corporation, association, community, or nation.
2. archives, a place where public records or other historical
documents are kept.
3. any extensive record or collection of data: The encyclopedia is an
archive of world history. The experience was sealed in the archive of
her memory. –verb (used with object)
4. to place or store in an archive: to vote on archiving the city's historic
documents.
3
A glossary of terms …
Source: Merriam-Webster Online Dictionary
“Governance is about leadership, financial and operational
management standards adhering to international best practices. The
need for compliance with external regulatory requirements and heightened
awareness over information security has meant a requirement to plan
policies on how to use IT effectively across the whole organization. Creation
of specific governance committees and ROI evaluation to identify which
solutions will deliver value are key steps”
Source: Computerworld, 25 March 2005
Adoption of best practices will result in compliance and good governance!
4
If you have any of these solutions implemented …..
The core systems
required to run your
business, usually stored
in a RDBMS
Designed to enable the
consolidation of structured data
from various disparate systems
for reporting and analytics
across the organization
DOCUMENT MANAGEMENT SYSTEM:
Designed to enable the tracking of documents
as they go through various iterations and are
handled by different people 5
You will also be experiencing these problems ….
Access time
− Increasing
Search Time
− Increasing
Memory Problems (RDBMS)
− Increasing
Backup Times
− Increasing
Maintenance Windows
− Decreasing
Database Handling
− More Complex
Document Handling
− Outward Image Storage (PO‘s)
− Inward Image Storage (Supplier Invoices)
6
The ongoing challenges for IT are …..
Leveraging … while ensuring
technology operational
investments to date efficiencies …
Managing storage
and associated
infrastructure costs
7
… considering governance and compliance …
Identifying, tracking, retaining and accessing
information … a compliance issue
8
understanding that …..
Corporate officers, legal counsel,
CFO’s, CEOs, CIO’s and middle
managers will be held accountable
for records management failures –
by investors, shareholders,
statutory and regulatory bodies.
This compliance risk goes to the heart of an
organisation’s policy, statutory, legal and
regulatory obligations, the effectiveness of
its internal policies, procedures and controls,
using technology as an enabler. 9
Is back-up good enough?
Architecture
Financials SCM DMS Other Apps CRM
Internet
Data &
Data Filenet/ Transaction
Documents Siebel
Documentum Data
Router
Firewall
Mail Gateway
Firewall
Storage Devices:
Email and/or File Server
Disk/Tape/Jukebox/SAN/NAS
10Not anymore …
While some problems may be
solved with backups …. Other have been created …
Access Time Access Time
− Can be managed by taking older − Increased complexity in
data offline retrieving current and historical
Search Time data
− Can be managed by taking older − Increased costs in retrieval of
data offline historic information from tape
Memory Problems (RDBMS) Search Time
− Can be managed by taking older
data offline − Increased complexity in
Backup Times searching across current and
− Can be managed by taking older historical data
data offline Maintenance Windows
Maintenance Windows − Who manages the retention
− Can be managed by taking older and destruction of the data in
data offline accordance with internal policy
Database Handling and external statutory, legal and
− Can be managed by taking older regulatory requirements?
data offline Document Handling
Document Handling − Who manages the retention
− Can be managed by taking older and destruction of the data in
documents and images offline accordance with internal policy
and external statutory, legal
and regulatory requirements? 11Why are these issues critical?
Data Retention/Management/Destruction
65% of companies lack e-mail retention policies and procedures
94% of companies fail to retain & archive instant messages
(Source: Osterman Research)
33% of senior executives and subject matter experts interviewed
said their company had no policy in place around digital data and
20% did not know.
(Source: “Rules about to change in e-discovery game, Nov 2006)
Data Retrieval
71% of organizations have been required to search through back-up
tapes to retrieve one or more electronic records in response to a
request from legal, HR, …
39% of organizations have been ordered by a court or regulatory
body to produce employee e-mail
(Source: Osterman Research)
12Why are these issues critical?
Data Retrieval (cont’d)
36.4 % of senior executives and subject matter experts interviewed
said their companies had no technologies or policies in place to
manage a legal discovery order involving electronic records
Companies with annual revenues greater than US$1 billion dollars
are sometimes juggling as many as 147 lawsuits simultaneously
Companies with annual revenues less than US$1 billion dollars are
sometimes juggling up to 37 lawsuits simultaneously
One third of firms surveyed spend 2% of gross revenues on litigation
expenses, while 10% spend over 5% of gross revenues.
(Source: “Rules about to change in e-discovery game, Nov 2006)
Data Supervision
50% of workplace IM users send/receive risky content including
attachments, jokes, gossip, confidential info, porn, etc.
(Source: Osterman Research)
13Why are these issues critical?
Retention, Management, Retrieval and Disposition……. In HK
HK Companies Ordinance of 1984: “every company must keep
proper books of account … preserved for seven years from
the end of the financial year to which the last entry made or
matter recorded in them relates.”
Inland Revenue Ordinance of 1977: ”must retain such records
for a period of not less than seven years after the completion
of the transaction
Personal Data (Privacy) Ordinance of 1995: “A data user has a
duty to comply with a valid data access request not later than
40 days after receiving that request. Difficulty in searching
through records (whether electronic or otherwise) is not
regarded as a good excuse for failing to meet the timetable.”
14Why are these issues critical?
Retrieval, Search and Destruction ……. In HK
Basic Law, the rules of court procedure in Hong Kong of
1990: if the parties and their legal advisers do not adopt a
'sensible and responsible approach in dealing with discovery',
they face cost penalties meted out by the Court”
The Electronic Transactions Ordinance of 2004: "Without
prejudice to any rules of evidence, an electronic record shall
not be denied admissibility in evidence in any legal proceeding
on the sole ground that it is an electronic record"
HKMA Supervisory Policy Manual: “ensure that all media are
adequately protected, and establish secure processes for
disposal and destruction of sensitive information in both paper
and electronic media”
15Why are these issues critical?
Retention, Management, Retrieval and Disposition … elsewhere
Japan: A version of Sarbanes-Oxley is due to be released in
Japan before the end of 2006
Australia: Attorney-General, Rob Hulls said Victoria will be the
first State to create a specific
Why are thesedocument
issues critical? In destruction
HK … offence
whereby a corporation and its employees can be prosecuted in
circumstances where there was no direct instruction to destroy a
document but it was implied by the corporation’s culture. “In
addition to a jail term, individuals can be fined up to $62,886 and
corporations can be hit with a $314,430 fine.”
US: On December 1, 2006, several amendments to the Federal
Rules of Civil Procedure regarding a company’s duty to preserve
and produce electronically stored information, in the face of
litigation - or pending litigation, is scheduled to take effect.
16Why are these issues critical ?
Operational Risk Mitigation …
Source: Wall Street Journal Asia, 13 Feb 2006
17So what does all of this mean?
Let’s get back to the basics of the business process
from a non-digital perspective, and ask yourself the
following questions:
1. Who is the owner of the business process?
2. Who is the owner of the data being stored?
3. How often will the “data owner” or other interested parties
need access to this data?
4. How long does this data need to be kept?
5. Who is responsible for the destruction of this data?
So why should IT be responsible for the storage,
management, access and destruction of this data, when
all they have done is provide technology tools to enable
the automation of the above “traditional” business
process?
18So what does all of this mean? ARCHIVE !!
Archiving solutions should solve the BUSINESS of digital data retention,
management,
Architectureretrieval and disposal using TECHNOLOGY as AN
ENABLER …
Financials ERP DMS Other Apps Instant Message
Internet
Data &
Data Filenet/ Transaction
Documents IM
Documentum Data
Router
Firewall
Mail Gateway
Archive Server
Firewall
Storage
Archiving
Process
Email and/or File Server
Retrieval
Process Retrieval
Process
Web Server 19ARCHIVE for Operational AND Business Benefits
Message
Management
Lotus Notes
MS Exchange
IM
250 File Types
Word Docs
Adobe PDF
PowerPoint To benefit the business: Policy Driven Archiving
Excel
• Compress
• Storage optimisation
Text Reports
• • Single Instance
Migration/consolidation of data
PCL 5
AFP • Operational efficiencies • Index
Meta Code • Compliance • Future Proof
EBCDIC
Text • Knowledge exploitation • Shortcut/Stub
• Search • Categorise
Object Types • Disclose
Voice
Video • Share
IP Traffic • Retain/Delete
• Case Management
• Supervise
20Common Myths/Misconceptions about ARCHIVING
Compliance is a costly exercise 2
I need separate solutions to manage all of my corporate 2
data
Archiving will enforce/enhance our risk management 3
strategy
The main driver for compliance activities is the fear of the 2
consequences of non-compliance
There are no strategic solutions available in the 2
marketplace – just point solutions
Corporate governance encompasses regulatory 3
compliance, legislative compliance and adhering to internal
policies
The only positive consequence of being compliant is staying 2
out of jail
21ARCHIVE solutions come in different forms …
Enterprise Content Management (ECM) is any of the strategies
and technologies employed in the information technology
industry for managing the capture, storage, security, revision
control, retrieval, distribution, preservation and destruction of
documents and content. ECM especially concerns content
imported into or generated from within an organization in the
course of its operation, and includes the control of access to this
content from outside of the organization's processes.
Information Lifecycle Management refers to a wide-ranging set of
strategies for administering storage systems on computing devices.
Specifically, four categories of storage strategies may be
considered under the auspices of ILM:
− Policy
− Management
− Operational
− Infrastructure Source: www.wikipedia.com
22ARCHIVE solutions come in different forms …
Records Management is the practice of identifying, classifying,
archiving, preserving, and sometimes destroying records. ISO
15489: 2001 defines records management as, "The field of
management responsible for the efficient and systematic control
of the creation, receipt, maintenance, use and disposition of
records, including the processes for capturing and maintaining
evidence of and information about business activities and
transactions in the form of records". Source: www.wikipedia.com
“Companies should look for solutions to support multiple
regulations and multiple business units”
Source: Business Wire, 12 December 2005. “Through 2008, Investment in new technologies will slow as
discretionary budgets are diverted to regulatory compliance projects”.
23ARCHIVE with Retention and Disposition Rules
Scanned
Category: Finance HR Personal Unknown
• Invoice • Sick Leave • Home
• Purchase Order • Annual Leave • Lunch
• Payable • Resume • Joke
• etc • etc • etc
• 7 Years • 12 Months • 30 Days • Indefinite
Retention: • Tape • Disk • Disk • Disk
Destruction:
24ARCHIVE with Portal Access to ALL Data
25ARCHIVE with Portal Access to ALL Data
26ARCHIVE with Portal Access to ALL Data
27A few suggestions …
Ensure there are written policies for traditional and digital
record retention, management and disposal.
Educate users on these policies
Educate users regarding the impact of internal policy and
external regulatory requirements on their use of e-mail, IM
and SMS tools for business purposes.
Implement the defined policies and associated procedures
Determine IT strategy based on the tools required to support
the policies and processes defined, implemented and
communicated.
28Corporate-wide benefits of ARCHIVING
Compliance
¾Policy adherence
¾Statutory adherence
¾Regulatory adherence
¾Discovery
¾Forensics
e
pl ianc
Com
Operational Efficiency
¾Reduced TCO
ien cy ¾System performance improvements
fi c
a l Ef
ra tion ¾Shortened backup timeframes
e
Op ¾DIY search and retrieval
¾Achieve quick and measurable ROI
e nt
m ¾Greater Knowledge Exploitation
age
n
Ma
r a ge Storage Management
S to
¾Primary storage burdens eased
¾SIS and Compression
¾Data management and disposal
29
¾Integration of data from disparate systemsDIGITAL DATA ARCHIVING: “Nice to Have or Need to Have”?
Information
Repository
Risk Assessment
Corporate
Governance
Components
Policies/Procedures
Corporate
Company Activities
Confidence Email
IM
Memos/Spreadsheets
Transactional Data
BPR
Identification and resolution
of non-compliant activities
30You can also read
