Sarbanes-Oxley and its affect on storage compliance systems

This article discusses the primary provisions of the Sarbanes-Oxley Act that affect storage systems. Scott Lowe gives an overview and describes some storage products that offer special compliance features.

If you haven't heard of Sarbanes-Oxley, HIPAA, FERPA, or Gramm-Leach-Bliley, you've either just recently reentered the workforce after a very long vacation in Siberia, or you have been so busy with that new-fangled ERP system that you haven't had the chance to read anything for, oh, the past three years.

Either way, it's time to get up to speed on what these regulations mean for you and your storage systems. Sarbanes-Oxley, for example, imposes significant storage requirements and includes rigorous retention and retrieval regulation, which you must meet in order to be in compliance with the act. I will briefly discuss some of the retention and retrieval requirements in this article.

The Sarbanes-Oxley Act of 2002 implies that strict retention policies and procedures must be in place. I say "implies" because the act itself does not specifically indicate exactly what should be the storage requirements, but does require corporate officers to institute internal controls on their information to ensure completeness, correctness, and quick access. One exception to the specifics: accounting firms are specifically mentioned in Sarbanes-Oxley. The act calls for accounting firms that audit publicly-traded companies to keep related audit documents for no less than seven years after the completion of an audit. Violators can face fines of up to US$10 million and 20 years in prison.

Quick data retrieval is another requirement under Sarbanes-Oxley, and it's just a good idea anyway. After all, if your company is subpoenaed, do you really want to make your legal team wait three days for IT to be able to pull the right records, or do you want the team to be able to immediately begin crafting a defense?

Products geared for compliance
Besides the sheer volume of data that is required to be stored as a result of the law, section 802 of the Act outlines stiff penalties for any company that "knowingly alters, destroys, [or] mutilates" information in an effort to cover their tracks or obstruct an investigation. Storage vendors have glommed on to this language like a pit bull to a steak. Many vendors now sell "Sarbanes-Oxley compliance" devices aimed at helping corporations in their compliance efforts.

NetApp, for example, sells its SnapLock software solution to clients that want to implement a write-once, read-many (WORM) approach to their storage. While WORM has existed for years on optical media, the philosophy is shifting to disk-based systems in order for companies to be able to comply with the volume of retained data, as well as to provide quick, easy access to retained information.

Other vendors offer equipment geared toward compliance as well. EMC's Centera line of products includes editions (the Centera Governance Edition and Centera Compliance Edition Plus) that ensure data authenticity and scalability to the petabyte range of data storage. Centera, like the NetApp solution, provides WORM capabilities so that data, once written to the device, cannot be modified, but can be read as often as needed.

When it comes to data retrieval, make sure any solution you choose is in it for the long haul. That is, if your corporate policies (or government mandates) dictate that certain information will be kept for a very long time, make sure that any related data is stored in a format that will still be readable in five, ten, twenty years, etc. Further, make sure that what you buy is scalable. Managing hundreds, or even thousands, of CDs as a storage option will not be a practical solution as your data grows.