Use this checklist to help you determine what storage and data-protection solutions you need to invest in as part of your compliance project
1. Determine how well a storage solution will fit your existing business processes. At least as important as whether a storage product supports the regulations that affect your organization is how well the product meshes with your existing business processes. A product that doesn't fit in with your company's operations will require you to change processes to match the way the product works, an option that few organizations will find acceptable.
If, of course, your organization must alter its processes to comply with the appropriate regulations, you have a bit more flexibility in your choice of solutions. Nevertheless, the products that introduce the fewest changes will have the least negative impact on your day-to-day operations.
2. Make sure your solution meets the full spectrum of compliance requirements for your industry. Storage-compliance requirements generally fall into three categories: data security, access control, and historical availability of data. Typically your OS handles security and access control. The requirements for an industry could include any or all of these categories and will usually require an end-to-end solution that provides the same compliance requirements throughout the lifecycle of the affected data. Keep in mind that the physical storage system you use isn't really the issue; the software that uses your storage will maintain regulatory compliance. The number-one rule is that your storage solution must be able to maintain each individual record for as long as necessary and in a way that prevents alteration of records.
3. Assess your backup strategy and, if necessary, modify it to meet compliance requirements. The storage-specific issue that's most relevant to regulatory compliance is backup. In most cases, traditional backup solutions don't address the full range of compliance issues. To maintain compliance, you must keep data backups secure. Backed-up data must meet the same archiving regulations as live data. Depending on which set of compliance regulations you're following, you might have to maintain online, nearline, and offline data backups and have in place a lifecycle process that moves data to the required location in that tree so that the data meets availability standards.
Disaster recovery solutions are no longer just simple backups. Now, you must maintain backup data so that it retains all the details that comprised the original records, not only the raw data. Furthermore, offsite disaster recovery storage must meet the same data-security standards as your primary data store.
4. Choose unalterable backup media. Because many compliance regulations prescribe data-retention periods, your data-lifecycle process will require the use of storage media that lets data be written but not altered. Therefore, you should consider using optical technologies—such as write once, read many (WORM), or tape technologies, such as DLTIce, which let data be appended to a record but don't allow overwriting—as standard tools for storage compliance. Keep these offline records in mind when you create your disaster recovery plan because you'll need to be able to recreate them as well as live data. Also keep in mind that even offline storage methodologies must be able to find and restore required records promptly.
5. Make sure you can migrate stored data. When choosing storage technologies, consider how easily you can migrate stored data to next-generation systems. Examine your current environment and determine how many of your storage systems have been in use for the last 6 years. If you migrate to newer-generation storage technologies, you must be able to move all data affected by compliance regulations to its new home.
6. Maintain an easily accessible audit trail. Compliance regulations require that a business maintain the chain of custody of any record that's affected by such regulations. This means that any access that might modify an affected record be recorded and that this audit data be easily accessible. You must track not only access that can modify the record but possibly also any access to the record, to ensure that your organization adheres to confidentiality requirements.