Regulatory Compliance

The IT industry has become even more complex in the past few years with the advent of regulatory compliance requirements that all publicly traded companies in the US and other regions must adopt.

Perhaps your organization is already working through these requirements. If you are a consultant or non-publicly traded company, you may not be bound by these regulations – however your clients may be, so this information is critical for anyone in the IT industry.

Regulatory standards affect the broad areas of data privacy, security, retention, protection and accountability. Within these areas, checks and balances act to preserve the information and data. Investigative processes verify the integrity of privacy; security and data protection and audits are required for accountability.

The legal and business requirements protect a company from investigations or consequences but they also help safeguard consumer and patient information. Here’s a list of some of the common regulatory compliance laws.

This is by no means a comprehensive or industry specific list but serves as an example of the amount of data regulations that are already in place:

Data Regulations
Sarbanes-Oxley Act
Known as SOX, this Act requires company financial executives to be culpable for financial reporting. Independent auditors review financial controls and processes to ensure accurate financial reporting. Controls of records and processes are preserved to prevent fraudulent activities.

Healthcare Insurance Portability and Accountability Act
The Healthcare Insurance Portability and Accountability Act requires, among other things, the securing of patient information.

European Union Data Protection Directive
The European Union Data Protection Directive (EUDPD) standardizes the protection of data privacy for citizens throughout the European Union (EU) by providing baseline requirements that all member states must achieve through national implementing legislation

Payment Card Industry Data Security Standard
The four major credit card associations in the United States (Visa, MasterCard, American Express, and Discover Network) adopted a consolidated data security standard (Payment Card Industry Data Security Standard; PCIDSS). Compliance is required of merchants accepting these cards.

Japan’s Personal Information Protection Act
The Personal Information Protection Act. The Personal Information Protection Act applies to government or private entities that collect, handle, or use personal information of 5,000 or more individuals

Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act addresses the protection of nonpublic personal information, requiring that financial records are properly secured, safeguarded, and eventually disposed of in a manner that completely destroys the information.

Breach Notification Legislation
California’s Senate Bill 1386 (SB1386) requires notification to California residents regarding any breach to the security of a computing system containing personal information.

Regulatory compliance issues can be really summed up by these simple items: “Keep it, Secure it, and Preserve it.” This can mean extra equipment and IT policies to maintain control over informationthat users may have previously horded on their machines.

One of the most important aspects to regulatory compliance is the 100% accessibility to the stored data. During data storage disasters, companies that require speed and quality turn to Professional Data Recovery Company for getting access back to regulatory data. In other situations, software that facilitates retrieving data is part of some IT department’s compliance process.

One of the least reported risks to electronic information is storage system failures. What happens when the server you have for compliance fails? How do you cope with a quarter-end financial audit when the business system database becomes corrupt? Who do you turn to when your company is in the middle of an SEC investigation and the electronic message server goes offline? These types of situations happen to corporations everyday. To help minimize this risk, several risk mitigation policies that storage administrators can adopt are outlined below:

Offline Storage System — Avoid forcing an array or drive back on-line. There is usually a valid reason for a controller card to disable a drive or array, forcing an array back online may expose the volume to file system corruption.
Rebuilding a Failed Drive — when rebuilding a single failed drive, it is import to allow the controller card to finish the process. If a second drive should fail or go off-line during this process, stop and get professional data recovery services involved. During a rebuild, replacing a second failed drive may change the data on the other drives.
During an Outage – If the problem escalates up to the OEM technical support, always ask “Is the data integrity at risk?” or, “Will this damage my data in any way?” If the technician says that there may be a risk to the data, then stop and get professional data recovery services involved.

Doing the Recovery Yourself – Some IT departments may have staff that has worked with automated data recovery or hard disk storage utilities. Depending on the cause of the data loss these tools could actually limit recovery efforts because the drive is experiencing intermediate failures. Some utilities on the internet are ‘free’ and promise to fix dead hard drives. Verify the source of the software and make sure that it comes from a reputable company that has a standardized development and quality assurance (Q/A) process. Untested software can yield unpredictable results.
When user desktop or laptop computer storage systems fail, do not assume that that their files are backed up, or synchronized, on the file server. At the same time, never assume that the data is completely gone.