Storage Strategies Special Edition - Tuesday, March 16, 2004
The Last Regulatory Compliance Article You'll Ever Need
By Jon William Toigo
Many vendors are touting storage solutions for Sarbanes-Oxley
compliance, but only one company tells it straight -- SOX isn't a
storage issue at all.
Imagine my surprise when I read in the 6th Annual Financial Executives
Survey that, in the majority opinion of 600+ chief financial officers,
compliance with Sarbanes-Oxley (SOX) was less an IT issue than it was a
human resources and corporate policy issue! Listening to EMC, the
FCIA, and many other storage mavens, I though SOX was poised to hit
companies where they lived: in their storage budget. (Story continues
In the study, which was just released by Financial Executives
International (FEI) and can be downloaded from sponsor Computer
Sciences Corporation's Web site (http://www.csc.com), I found valuable
data points on a broad range of IT topics from the CFO's perspective.
The one that caught my eye first was the general agreement among
respondents that regulatory compliance had little to do with storage
technology or topology.
I was already thinking about writing a column on storage and regulatory
mandates, which has become the rationale proffered by vendors for
everything from multi-tier storage infrastructure to all-in-one
tape/disk appliances to Information Feng Shui Management. Just today,
I was contacted by an old friend who advised me that Fibre Channel
Industry Association (FCIA) board members were projecting that
"regulatory compliance" would become a huge driver of sales of their
products in the Small to Medium Business (SMB) market.
Then, I had a phone discussion with EMC execs who cited compliance as a
key motivator for their Information Lifecycle Management play, while I
watched my e-mail inbox swell with traffic from IBM's press relations
staff hammering me to sit for a briefing on Big Blue's latest
What I had not heard from anyone was what, exactly, there was in SOX to
comply with. The law, officially known as the Public Company
Accounting Reform and Investor Protection Act and enacted in July 2002,
requires companies to make new disclosures on internal controls, ethics
codes, and the makeup of their audit committees on annual reports.
Of importance to IT is Section 404, which requires companies perform a
self-assessment of risks for business processes that affect financial
reporting. Public companies with market capitalizations of $75 million
or more must be in compliance with Section 404 for their fiscal year
ending on or after June 15. Smaller companies have until the fiscal
year ending on or after April 15, 2005 to comply.
You need to have controls in place and to testify to the adequacy of
those controls to verify the accuracy of statements in annual reports.
There is nothing about storage in the act -- specifically or implied.
Common sense would dictate that you need to verify that your data is
not flipping bits on the disk, and if you are a broker/dealer by trade,
you might need to prove that you are using Write Once Read Many (WORM)
technology or some other mechanism to provide non-repudiability to your
historical trading records. But beyond that, there is no storage
requirement imposed by the regulation. None. Nada. Zip.
I worried that I might be missing something important, so I sat for the
briefing with IBM to hear about its TotalStorage Data Retention 450
"solution" on February 19. I asked the ever-charming Theresa O'Neil,
Director of Storage Strategy for IBM Tivoli, what regulatory
provision(s) the company's "powerful new compliance-in-a-box" offering
was addressing. I received back something I hadn't heard from many
vendors on this point: an honest answer.
The Storage Strategy Director told me that SOX compliance had very
little to do with storage. To her way of thinking, hyperbole about
compliance and the threat of litigation in the marketing materials of
other storage vendors were being used in an attempt to sell more gear -
- nothing more, nothing less.
Said O'Neil, "Compliance is more about business processes than it is
about technology. Creating and managing policies to comply with
regulations as a company is the hard part; technology is the easy
She said IBM was offering a solution for managing data records. It
could be used to make records more accessible for audits and
litigation, but its real purpose was much broader: IBM wanted to
provide a way for customers to make more cost-effective use of their
storage investment, potentially -- but not necessarily -- as an entree
into the exciting world of enterprise content management.
IBM's fix: a FAST 600 storage server controller with a back-end Serial-
ATA array scalable from 3.5 to 56 TB. Additionally, the 450 solution
includes a clustered P-series server running Linux and Tivoli Storage
Manager for Data Retention. Oh, and if there are any concerns about
security, the whole thing comes in a lockable cabinet. Purchased
altogether, the price tag was $141,600 for the 3.5 TB solution.
But, O'Neil offered, the IBM Tivoli software was also available for
purchase as a standalone component. Given that its robust API allowed
for it to be used in conjunction with over 600 different disk devices,
O'Neil said that IBM Tivoli Storage Manager provided the basis for
building a true "customer's choice" records management platform.
The software includes a hefty dose of Tivoli's traditional Hierarchical
Storage Manager functionality -- the kind that leaves stubs behind when
it migrates less-used data to tape or disk archives. She said,
however, that the functionality was an improvement over other offerings
in the market because it lets you use "events" rather than only
timestamps to determine when data should be moved and how long it
needed to be retained.
O'Neil explained, "For example, if the mortgage is paid off early, the
data does not need to be retained for the full 30 years. The event --
the payoff -- enables the migration of data before the time-based
The software also allows for the annotation of datasets with "deletion
holds," allowing data that might have reached its stale-by date to be
retained for audit or litigation as required. With the full
implementation of other IBM technology, such as storage pools, O'Neil
said companies would have the ingredients for a pretty good lifecycle
So, there you have it. Direct from the mouth of Big Blue. SOX is not
a storage issue. Be sure to challenge anything you hear to the
contrary from other vendors. This is the last storage article on
regulatory compliance you ever need to read. Except, of course, for
the next one.
Copyright 2004 101communications LLC.