Digital Data Archiving - ISACA China HK Chapter Data Archiving-Nice to... · Digital Data Archiving ... Introduction: AXS-One ... Adobe PDF PowerPoint Excel Text Reports PCL 5 AFP

For ISACA Presentation

Digital Data Archiving“Nice to Have or Need to Have?”

2

Introduction: AXS-One

- Established over 28 years ago- AMEX listed for over 10 years

- Prestigious established customer base within Financial Services, Pharmaceutical, Manufacturing, Transportation, Logistics and other industries for over 10+ years

3

A glossary of terms …

What is digital data?dig‧i‧tize �dɪdʒ ɪ�taɪz/ Pronunciation Key - Show Spelled

Pronunciation[dij-i-tahyz] Pronunciation Key - Show IPA Pronunciation verb (used with object), -tized, -tiz‧ing. Computers.

1. to convert (data) to digital form for use in a computer. 2. to convert (analogous physical measurements) to digital form.

What is archiving?ar‧chive Show Spelled Pronunciation[ahr-kahyv] Pronunciation Key -

Show IPA Pronunciation noun, verb, -chived, -chiv‧ing.

1. Usually, archives. documents or records relating to the activities, business dealings, etc., of a person, family, corporation, association, community, or nation.

2. archives, a place where public records or other historical documents are kept.

3. any extensive record or collection of data: The encyclopedia is an archive of world history. The experience was sealed in the archive of her memory. –verb (used with object)

4. to place or store in an archive: to vote on archiving the city's historic documents.

4

A glossary of terms …

Source: Merriam-Webster Online Dictionary

“Governance is about leadership, financial and operational management standards adhering to international best practices. The need for compliance with external regulatory requirements and heightened awareness over information security has meant a requirement to plan policies on how to use IT effectively across the whole organization. Creation of specific governance committees and ROI evaluation to identify which solutions will deliver value are key steps”

Source: Computerworld, 25 March 2005

Adoption of best practices will result in compliance and good governance!

5

If you have any of these solutions implemented …..

The core systems required to run your business, usually stored in a RDBMS

DOCUMENT MANAGEMENT SYSTEM: Designed to enable the tracking of documents as they go through various iterations and are handled by different people

Designed to enable the consolidation of structured data from various disparate systems for reporting and analytics across the organization

6

Access time− Increasing

Search Time− Increasing

Memory Problems (RDBMS)− Increasing

Backup Times− Increasing

Maintenance Windows− Decreasing

Database Handling− More Complex

Document Handling− Outward Image Storage (PO‘s)− Inward Image Storage (Supplier Invoices)

You will also be experiencing these problems ….

7

The ongoing challenges for IT are …..

Leveragingtechnology investments to date

Managing storage and associated infrastructure costs

… while ensuring operational efficiencies …

8

Identifying, tracking, retaining and accessing information … a compliance issue

… considering governance and compliance …

9

Corporate officers, legal counsel, CFO’s, CEOs, CIO’s and middle managers will be held accountable for records management failures –by investors, shareholders, statutory and regulatory bodies.

understanding that …..

This compliance risk goes to the heart of an organisation’s policy, statutory, legal and regulatory obligations, the effectiveness of its internal policies, procedures and controls, using technology as an enabler.

10

Is backIs back--up good enough?up good enough?

Architecture

Router

Firewall

Mail Gateway

Firewall

Email and/or File Server

InternetSCM

Data

CRM

Siebel

Other Apps

TransactionData

Financials

Data &Documents

DMS

Filenet/Documentum

Storage Devices:

Disk/Tape/Jukebox/SAN/NAS

11

Not anymore …

Access Time− Can be managed by taking older

data offlineSearch Time

− Can be managed by taking older data offline

Memory Problems (RDBMS)− Can be managed by taking older

data offlineBackup Times


Maintenance Windows− Can be managed by taking older

data offlineDatabase Handling


Document Handling− Can be managed by taking older

documents and images offline

Access Time− Increased complexity in

retrieving current and historical data

− Increased costs in retrieval of historic information from tape

Search Time− Increased complexity in

searching across current and historical data

Maintenance Windows− Who manages the retention

and destruction of the data in accordance with internal policy and external statutory, legal and regulatory requirements?

Document Handling− Who manages the retention

and destruction of the data in accordance with internal policy and external statutory, legal and regulatory requirements?

While some problems may be solved with backups …. Other have been created …

12

Why are these issues critical?

Data Retention/Management/Destruction

65% of companies lack e-mail retention policies and procedures

94% of companies fail to retain & archive instant messages (Source: Osterman Research)

33% of senior executives and subject matter experts interviewed said their company had no policy in place around digital data and 20% did not know.

(Source: “Rules about to change in e-discovery game, Nov 2006)

Data Retrieval71% of organizations have been required to search through back-up tapes to retrieve one or more electronic records in response to a request from legal, HR, …39% of organizations have been ordered by a court or regulatory body to produce employee e-mail

(Source: Osterman Research)

13


Data Retrieval (cont’d)36.4 % of senior executives and subject matter experts interviewed said their companies had no technologies or policies in place tomanage a legal discovery order involving electronic records Companies with annual revenues greater than US$1 billion dollarsare sometimes juggling as many as 147 lawsuits simultaneously

Companies with annual revenues less than US$1 billion dollars are sometimes juggling up to 37 lawsuits simultaneously

One third of firms surveyed spend 2% of gross revenues on litigation expenses, while 10% spend over 5% of gross revenues.

(Source: “Rules about to change in e-discovery game, Nov 2006)

Data Supervision50% of workplace IM users send/receive risky content including attachments, jokes, gossip, confidential info, porn, etc.

(Source: Osterman Research)

14


HK Companies Ordinance of 1984: “every company must keep proper books of account … preserved for seven years from the end of the financial year to which the last entry made or matter recorded in them relates.”

Inland Revenue Ordinance of 1977: ”must retain such records for a period of not less than seven years after the completion of the transaction

Personal Data (Privacy) Ordinance of 1995: “A data user has a duty to comply with a valid data access request not later than 40 days after receiving that request. Difficulty in searching through records (whether electronic or otherwise) is not regarded as a good excuse for failing to meet the timetable.”

Retention, Management, Retrieval and Disposition……. In HK

15


Basic Law, the rules of court procedure in Hong Kong of 1990: if the parties and their legal advisers do not adopt a'sensible and responsible approach in dealing with discovery', they face cost penalties meted out by the Court”

The Electronic Transactions Ordinance of 2004: "Without prejudice to any rules of evidence, an electronic record shall not be denied admissibility in evidence in any legal proceedingon the sole ground that it is an electronic record"

HKMA Supervisory Policy Manual: “ensure that all media are adequately protected, and establish secure processes for disposal and destruction of sensitive information in both paper and electronic media”

Retrieval, Search and Destruction ……. In HK

16


Japan: A version of Sarbanes-Oxley is due to be released in Japan before the end of 2006Australia: Attorney-General, Rob Hulls said Victoria will be the first State to create a specific document destruction offence whereby a corporation and its employees can be prosecuted in circumstances where there was no direct instruction to destroy adocument but it was implied by the corporation’s culture. “In addition to a jail term, individuals can be fined up to $62,886 and corporations can be hit with a $314,430 fine.”US: On December 1, 2006, several amendments to the Federal Rules of Civil Procedure regarding a company’s duty to preserve and produce electronically stored information, in the face of litigation - or pending litigation, is scheduled to take effect.

Why are these issues critical? In HK …

Retention, Management, Retrieval and Disposition … elsewhere

17

Why are these issues critical ?

Source: Wall Street Journal Asia, 13 Feb 2006

Operational Risk Mitigation …

18

So what does all of this mean?

Let’s get back to the basics of the business process from a non-digital perspective, and ask yourself the following questions:1. Who is the owner of the business process?2. Who is the owner of the data being stored?3. How often will the “data owner” or other interested parties

need access to this data?4. How long does this data need to be kept?5. Who is responsible for the destruction of this data?

So why should IT be responsible for the storage, management, access and destruction of this data, when all they have done is provide technology tools to enable the automation of the above “traditional” business process?

19

Architecture

Router

Firewall

Mail Gateway

Firewall

Email and/or File Server

ArchivingProcess

RetrievalProcess

Archive Server

Web Server

Internet

RetrievalProcess

Storage

ERP

Data

Instant Message

IM

Other Apps

TransactionData

Financials

Data &Documents

DMS

Filenet/Documentum

Archiving solutions should solve the BUSINESS of digital data reArchiving solutions should solve the BUSINESS of digital data retention, tention, management, retrieval management, retrieval andand disposal using TECHNOLOGY as AN disposal using TECHNOLOGY as AN ENABLER ENABLER ……

So what does all of this mean? ARCHIVE !!

20

ARCHIVE for Operational AND Business Benefits

Policy Driven Archiving• Compress• Single Instance• Index• Future Proof• Shortcut/Stub• Categorise

Message Management

Lotus NotesMS ExchangeIM

250 File TypesWord DocsAdobe PDFPowerPointExcel

Text ReportsPCL 5AFPMeta CodeEBCDICText

Object TypesVoiceVideoIP Traffic

• Search • Disclose• Share• Retain/Delete• Case Management• Supervise

To benefit the business:

• Storage optimisation• Migration/consolidation of data• Operational efficiencies• Compliance• Knowledge exploitation

21

Common Myths/Misconceptions about ARCHIVING

Compliance is a costly exercise I need separate solutions to manage all of my corporate dataArchiving will enforce/enhance our risk management strategyThe main driver for compliance activities is the fear of the consequences of non-complianceThere are no strategic solutions available in the marketplace – just point solutionsCorporate governance encompasses regulatory compliance, legislative compliance and adhering to internal policiesThe only positive consequence of being compliant is staying out of jail

22

ARCHIVE solutions come in different forms …

Enterprise Content Management (ECM) is any of the strategies and technologies employed in the information technologyindustry for managing the capture, storage, security, revision control, retrieval, distribution, preservation and destruction of documents and content. ECM especially concerns content imported into or generated from within an organization in the course of its operation, and includes the control of access to this content from outside of the organization's processes.

Information Lifecycle Management refers to a wide-ranging set of strategies for administering storage systems on computing devices. Specifically, four categories of storage strategies may be considered under the auspices of ILM:− Policy− Management− Operational− Infrastructure Source: www.wikipedia.com

23

ARCHIVE solutions come in different forms …

Records Management is the practice of identifying, classifying, archiving, preserving, and sometimes destroying records. ISO 15489: 2001 defines records management as, "The field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records".

“Companies should look for solutions to support multiple regulations and multiple business units”

Source: Business Wire, 12 December 2005. “Through 2008, Investment in new technologies will slow as discretionary budgets are diverted to regulatory compliance projects”.

Source: www.wikipedia.com

24

Category: Finance HR Personal Unknown• Invoice• Purchase Order• Payable• etc

• Sick Leave• Annual Leave• Resume• etc

• Home• Lunch• Joke• etc

• 7 Years• Tape

• 12 Months• Disk

• 30 Days• Disk

• Indefinite• Disk

Scanned

Retention:

Destruction:

ARCHIVE with Retention and Disposition Rules

25

ARCHIVE with Portal Access to ALL Data

26


27


28

A few suggestions …

Ensure there are written policies for traditional and digital record retention, management and disposal.

Educate users on these policies

Educate users regarding the impact of internal policy and external regulatory requirements on their use of e-mail, IM and SMS tools for business purposes.

Implement the defined policies and associated procedures

Determine IT strategy based on the tools required to support the policies and processes defined, implemented and communicated.

29

Storage Management

Operational Efficiency

Compliance

Storage ManagementPrimary storage burdens easedSIS and CompressionData management and disposalIntegration of data from disparate systems

Operational EfficiencyReduced TCOSystem performance improvementsShortened backup timeframesDIY search and retrievalAchieve quick and measurable ROIGreater Knowledge Exploitation

CompliancePolicy adherenceStatutory adherenceRegulatory adherenceDiscoveryForensics

Corporate-wide benefits of ARCHIVING

30

Policies/Procedures

CorporateGovernance Components

InformationRepository

Risk Assessment

BPRIdentification and resolution

of non-compliant activities

Company ActivitiesEmailIMMemos/SpreadsheetsTransactional Data

Corporate Corporate ConfidenceConfidence

DIGITAL DATA ARCHIVING: “Nice to Have or Need to Have”?