Compliance wreaks havoc on IT infrastructures

A new era in IT infrastructure is dawning. After the recent focus on disaster recovery and business continuity, the latest trend for IT planners involves the rapidly escalating importance of content integrity, which is driven by the need for regulatory compliance. Variable retention cycles, indexing, tamper-proof storage and tamper-proof duplicates are all elements of compliance.

Many companies are stalled right now because they are waiting to formulate compliance strategies. This is creating a lot of chaos for IT infrastructures. Companies are facing new regulatory standards for electronic records management, as well as daunting increases in the volume of data to be retained in an accessible manner.

At the same time, they are emerging from capital spending lockdowns and planning their next round of IT development. This challenging environment is dictating several new strategies for storage.

Aggressive regulations

Lawmakers and regulators are implementing a round of more aggressive laws, increased regulation and stepped-up enforcement to address the high-profile issue of corporate malfeasance. More aggressive laws, such as Sarbanes-Oxley, establish new levels of personal liability for IT managers and personnel.

Record integrity requirements have added a new dimension to storage planning. New integrity standards include such elements as:

  • Written records management and retention policies.

  • Proof of consistent adherence to those policies.

  • Ability to prove that the archives are complete and not selective.

  • Ability to prove that the entries in the archives could only have been created at the point in time indicated.

  • Ability to prove that the archives are tamper-proof.

These standards for ensuring the integrity of records, particularly electronic records, are also being affirmed in the courts. The climate of tolerance for irresponsible records management, whether intentional or inadvertent, is coming to an end. Numerous cases in the courts have created a body of legal precedence that penalizes both companies and their management. Penalties are being handed out for failing to:

  • Write and follow policy.

  • Retain records after notification of pending action.

  • Preserve records for use by others in the foreseeable future.

Personal liability

And who is responsible for creating an infrastructure that anticipates the significance of records in legal or investigatory matters? Companies and their management. The issue of what information (evidence) is material or may become material at some future point has been clearly established.

Section 802 of Sarbanes-Oxley sets new standards for widespread personal liability with the changes it has made to the crime of obstruction of justice. The change is a new paragraph that reads:

    "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both."

The implications are that anyone from IT who participates in destruction or alteration of records that should have been preserved is subject to imprisonment.

The impact on IT infrastructure planning is found in the establishment of a new set of records and information management standards. The new expectations include elements such as:

  • Content-based retention policies.

  • Privacy and confidentiality standards for certain types of records.

  • Extended records retention periods of 30 or more years.

  • Media migration strategies to ensure that records continue to be preserved and accessible.

  • Storage on nondestructible media for the retention life cycle.

  • Off-site duplicate copies.

  • Indexes of original and duplicates made at the time of storage and kept for the life of the record.

  • Online retention with immediate access for some period of time.

A new infrastructure

The long-term impact of compliance will include managing the cost of records storage while creating an infrastructure that can be responsive to specific current and future regulatory requirements. The idea is to create a compliance-ready infrastructure.

By taking this approach, infrastructure planning and development can commence without the need for a detailed analysis of the compliance requirements. However, the detailed analysis will need to be done in conjunction with the implementation of each of the compliance platforms. This analysis will determine how to use the infrastructure to best advantage.

The issues that evolve in creating a compliance-ready infrastructure include:

  • Central information store strategy.

  • Information life-cycle management.

  • Duplicate storage requirements.

  • Indexing and retrieval requirements.

  • Media storage life.

  • Scalability.

  • User access requirements.

These elements and others like them are unique for each company and are identified in a document called the compliance profile. The compliance profile enables IT infrastructure planners to proceed with the infrastructure development without requiring an extensive regulatory analysis.

Central information store strategy

To implement an archive of unquestionable integrity, you need central control of records retention. If you leave the integrity of the archive to individual discretion in a distributed architecture, it diminishes your ability to assure regulators and courts that the archive is complete and tamper-proof. The new standards for information management demand that companies manage their archives centrally.

Information life-cycle management

Information life-cycle management is the process of retaining and managing information so that it conforms to regulatory and business requirements at the least reasonable cost. It entails migrating data across different storage media platforms to take best advantage of cost savings when data access requirements allow.

Duplicate storage requirements

A key aspect of many regulations is the requirement to maintain an accessible duplicate copy of regulated records in a separate location. Some companies opt to create a redundant online solution, while others choose to use tamper-proof media storage in a more conventional offsite storage facility. Selecting the proper solution depends on the regulatory profile of the business.

Indexing and retrieval requirements

One significant aspect of new regulations is the granularity of their record retrieval requirements. In the past, it was common practice to deliver large volumes of data in response to discovery requests. Today, it is more common for regulators and opposing counsel to make specific requests in order to reduce the volume of data that they must process in their investigation. To that end, regulators and litigators frequently request data in electronic, searchable formats.

In some cases, regulations stipulate that the regulated archive be created in that format and indexed in advance with regulatory access to the index. Infrastructure planning must take into account the type of retrieval associated with the archives it will keep. There must also be planning for storage and retrieval access capabilities that properly support the requirements.

Media storage life

The usable life of different storage media is an important consideration. The intent of regulatory record retention is the ability to retrieve records over the long term. Here, two relevant issues emerge. The first is the usable life of the media itself. The second is the need to retain or arrange for the retention of the necessary hardware and software versions to be able to access the data for 30-plus years.

The IT plan must take into account the viability of maintaining obsolete equipment and ensuring that it is continually functional or regularly migrating historic data onto new storage platforms.


The impact of regulation on data volumes and storage requirements is still unknown. E-mail growth estimates made in 2001 by IDC for 2006 were exceeded in 2004. Regulations and shifts in business behavior are changing the rate at which regulated data accumulates. In addition to anticipating requirements, solutions must be sufficiently scalable to absorb unexpected rates of growth and extensions of retention periods for regulated records.

User and regulator access requirements

How and where different types of data can be stored is influenced by both user and regulator requirements. Users tend to need the most immediate data quickly in order to complete their work. Regulators often need older data immediately in order to complete their investigations. The IT infrastructure model needs to be able to respond appropriately to both requirements.

The impact of compliance on IT infrastructure

The details of the impact of compliance on IT infrastructure are still being defined. What we know to date is that IT planners need to be far more compliance-aware than ever before. We also know that compliance will have significant impact on IT infrastructures. It will change the capabilities and features in the infrastructure and will significantly change the volume, extending retention periods and increasing the granularity of access to the archive.

To create an archive of unquestionable integrity that will protect the enterprise and its employees, IT planners must take into account regulatory requirements and compliance standards. At the same time, compliance and legal professionals must be ready to actively communicate the regulatory requirements so that IT planners can do their job. It is not enough to say, "We know what must be done." That knowledge must be translated into guidance for IT, or IT will be held hostage by indecision.

Thomas Bookwalter is vice president of Compliance Solutions for SANZ Inc., a storage consulting and integration firm.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon