SEC Rule 17a-4 and Storage
Now let's look at SEC Rule 17a-4. In this case, although data privacy is important,
the regulation focuses on data accessibility, specifying what types of data
must be kept available and for how long. Therefore, data-storage requirements
depend on the type of data and its particular set of requirements.
Time periods for data retention under 17a-4 fall into four categories: two
years, three years, six years, and for the life of the business enterprise.
It's therefore crucial that you're able to classify your data and how it will
be stored. Additionally, the regulation uses the phrase "easily accessible place"
to describe where much of the covered data should be stored.
Given these requirements, it's clear that your backup strategy must be one
of the driving factors in the storage implementation plan. And given that the
regulation covers communication between broker and client and requires the storage
of that communication, integration of the data backup and recovery scheme with
a business's email software is required, to meet the regulation's "easily accessible"
clause.
To comply with 17a-4, a business will need to implement a multi-tier storage
architecture that comprises online, nearline, and offline storage, depending
upon the point in the information life cycle where each piece of affected data
currently resides. To meet this requirement, then, when you evaluate storage
solutions, look for a comprehensive hardware platform that includes a suitable
storage management component, which addresses information life-cycle needs while
requiring minimal work on IT's part.
Compliance with 17a-4 also requires tight integration of email with backup
storage. The ability to reliably and easily recover email that could be as much
as three years old is a requirement that could cause serious problems with email
servers for a large business that needed to retain its messages online as part
of the active mail store. Maintaining email-server performance at a high level
is generally at odds with keeping huge amounts of archival email online, so
the ability to migrate email data to an accessible, but not primary, storage
location becomes another motivating factor in the data management plan.
In this storage environment, capabilities such as self-recovery and online
backup and restore go a long way toward fulfilling regulatory requirements.
But you need to maintain complete and thorough data backups, because simply
clicking the delete button on an email in a user's inbox can violate the applicable
rule. You need to maintain storage on the network, or on any location that's
kept backed up and current, to avoid inadvertently violating regulatory requirements.
Complying with 17a-4, therefore, will require large amounts of storage, for
which you'll need to have practices and processes to keep it backed up and technology
and processes to keep that backed-up data easily accessible.
SOX and Storage
Storage compliance under SOX is both easier and more difficult than the other
compliance areas we've examined. It's easier because, at its simplest, SOX requires
everything involved in corporate activity to be stored somewhere for possible
retrieval. This requirement makes large amounts of physical storage (e.g., NAS,
enterprise SAN setups) a practical way to store masses of data in a manageable
fashion. Add in the capability to securely back up and restore that data, and
you've probably covered all the bases. The difficulty in determining a SOXcompliance
strategy lies in determining what to save and what to discard.
Auditors who specialize in SOX compliance can give you the information you
need to build the type of storage network that's appropriate for your environment.
Without this type of careful analysis, businesses can end up storing everything,
which not only can become a network-storage–management nightmare but
can have unexpected consequences in the event of regulatory litigation. IT has
a responsibility to make sure regulatory requirements are met, but because this
is such a specialized area, determining applicable due diligence should be done
with the assistance of the appropriate auditors.
Compliance Needs Drive Storage
It should be clear by now that regulatory compliance should be a primary driver
when you select storage hardware and storage management software. After you
determine what storage environment can appropriately handle the applicable regulatory
constraints, you'll find it's a much simpler task to manage that storage so
that you minimize any chance of a failure that might expose the company to litigation.
Although regulatory requirements are well defined, the solutions for complying
with them aren't. Therefore, you need to carefully analyze business needs as
well as business workflow to determine how best to use a storage model while
maintaining regulatory compliance. (For a checklist to help you evaluate your
storage compliance needs, see the sidebar "Steps in Designing a Storage Compliance
Strategy," page 56.) Keep in mind that you can meet storage requirements by
using a horizontal solution that provides appropriate storage to all parts of
the corporate enterprise while solving the regulatory storage problems.
End of Article
