In-Depth

The Last Regulatory Compliance Article You'll Ever Need

Many vendors are touting storage solutions for Sarbanes-Oxley compliance, but only one company tells it straight—SOX isn't a storage issue at all.

• By Jon William Toigo
• 03/16/2004

In the study, which was just released by Financial Executives International (FEI) and can be downloaded from sponsor Computer Sciences Corporation’s Web site (http://www.csc.com), I found valuable data points on a broad range of IT topics from the CFO’s perspective. The one that caught my eye first was the general agreement among respondents that regulatory compliance had little to do with storage technology or topology.

I was already thinking about writing a column on storage and regulatory mandates, which has become the rationale proffered by vendors for everything from multi-tier storage infrastructure to all-in-one tape/disk appliances to Information Feng Shui Management. Just today, I was contacted by an old friend who advised me that Fibre Channel Industry Association (FCIA) board members were projecting that “regulatory compliance” would become a huge driver of sales of their products in the Small to Medium Business (SMB) market.

Then, I had a phone discussion with EMC execs who cited compliance as a key motivator for their Information Lifecycle Management play, while I watched my e-mail inbox swell with traffic from IBM’s press relations staff hammering me to sit for a briefing on Big Blue’s latest compliance solution.

What I had not heard from anyone was what, exactly, there was in SOX to comply with. The law, officially known as the Public Company Accounting Reform and Investor Protection Act and enacted in July 2002, requires companies to make new disclosures on internal controls, ethics codes, and the makeup of their audit committees on annual reports.

Of importance to IT is Section 404, which requires companies perform a self-assessment of risks for business processes that affect financial reporting. Public companies with market capitalizations of $75 million or more must be in compliance with Section 404 for their fiscal year ending on or after June 15. Smaller companies have until the fiscal year ending on or after April 15, 2005 to comply.

You need to have controls in place and to testify to the adequacy of those controls to verify the accuracy of statements in annual reports. There is nothing about storage in the act—specifically or implied. Common sense would dictate that you need to verify that your data is not flipping bits on the disk, and if you are a broker/dealer by trade, you might need to prove that you are using Write Once Read Many (WORM) technology or some other mechanism to provide nonrepudiability to your historical trading records. But beyond that, there is no storage requirement imposed by the regulation. None. Nada. Zip.

I worried that I might be missing something important, so I sat for the briefing with IBM to hear about its TotalStorage Data Retention 450 “solution” on February 19. I asked the ever-charming Theresa O'Neil, Director of Storage Strategy for IBM Tivoli, what regulatory provision(s) the company’s “powerful new compliance-in-a-box” offering was addressing. I received back something I hadn’t heard from many vendors on this point: an honest answer.

The Storage Strategy Director told me that SOX compliance had very little to do with storage. To her way of thinking, hyperbole about compliance and the threat of litigation in the marketing materials of other storage vendors were being used in an attempt to sell more gear—nothing more, nothing less.

Said O’Neil, “Compliance is more about business processes than it is about technology. Creating and managing policies to comply with regulations as a company is the hard part; technology is the easy part.”

She said IBM was offering a solution for managing data records. It could be used to make records more accessible for audits and litigation, but its real purpose was much broader: IBM wanted to provide a way for customers to make more cost-effective use of their storage investment, potentially—but not necessarily—as an entree into the exciting world of enterprise content management.

IBM’s fix: a FAST 600 storage server controller with a back-end Serial-ATA array scalable from 3.5 to 56 TB. Additionally, the 450 solution includes a clustered P-series server running Linux and Tivoli Storage Manager for Data Retention. Oh, and if there are any concerns about security, the whole thing comes in a lockable cabinet. Purchased altogether, the price tag was $141,600 for the 3.5 TB solution.

But, O’Neil offered, the IBM Tivoli software was also available for purchase as a standalone component. Given that its robust API allowed for it to be used in conjunction with over 600 different disk devices, O’Neil said that IBM Tivoli Storage Manager provided the basis for building a true “customer’s choice” records management platform.

The software includes a hefty dose of Tivoli’s traditional Hierarchical Storage Manager functionality—the kind that leaves stubs behind when it migrates less-used data to tape or disk archives. She said, however, that the functionality was an improvement over other offerings in the market because it lets you use “events” rather than only timestamps to determine when data should be moved and how long it needed to be retained.

O’Neil explained, “For example, if the mortgage is paid off early, the data does not need to be retained for the full 30 years. The event—the payoff—enables the migration of data before the time-based policy would.”

The software also allows for the annotation of datasets with “deletion holds,” allowing data that might have reached its stale-by date to be retained for audit or litigation as required. With the full implementation of other IBM technology, such as storage pools, O’Neil said companies would have the ingredients for a pretty good lifecycle management system.

So, there you have it. Direct from the mouth of Big Blue. SOX is not a storage issue. Be sure to challenge anything you hear to the contrary from other vendors. This is the last storage article on regulatory compliance you ever need to read. Except, of course, for the next one.