Originating Author: Omengle
The Sarbanes-Oxley Act of 2002 (SOX) mandates financial accountability of publicly held companies and impacts how they secure, access, recover and validate stored data. In order to comply with Sarbanes-Oxley, regulated companies must be able to produce certain records, including documents and emails, and prove that the records have not been destroyed or altered. Officers of corporations that do not comply with Sarbanes-Oxley regulations may be penalized up to $5 million and 20 years in prison.
Contents |
Sarbanes-Oxley and storage compliance capability
By implementing data storage security, retrieval, backup and recovery protocols, a company’s record storage structure may be brought into compliance with Sarbanes-Oxley. The cost of bringing a storage system into compliance with Sarbanes-Oxley depends largely on the state of the company’s current storage, security and auditing systems. Because Sarbanes-Oxley does not list the specific records a company must keep, most companies pursue compliance by storing every document even peripherally related to financial reporting. Some companies opt to store all records and correspondence.
Specific operational goals of Sarbanes-Oxley and storage compliance
Sarbanes-Oxley storage compliance depends on creating a set of management and operational processes that can demonstrably ensure internal storage infrastructure controls are compliant with the specifics of the auditing framework being followed within the organization.
The cost of implementing a Sarbanes-Oxley storage compliance initiative may be between $200,000 and $400,000, depending on how close current storage, security and auditing systems are to meeting compliance requirements. Yearly costs of approximately $150,000 for updates and labor should be expected. The average implementation will take four to six months from analysis to deployment.
A successful Sarbanes-Oxley storage compliance implementation will:
- Fulfill Sarbanes-Oxley requirements by providing reliable reporting on archived records and by securing stored data from unauthorized access.
- Ensure that the storage system has an effective storage security system that will track addition and removal of physical storage, and a storage audit system that will track allocation, mounting, and demounting of storage volumes.
- Be complementary with other compliance initiatives that may effect the company.
- Work without interrupting business functions and systems.
- Provide a system that can scale to meet future storage needs and allows for secure migration of stored data.
The major expected effects on the IT budget will normally include:
- Assuming a storage network security system is not already in place, the cost of adding storage devices and media, security software, and records management applications to bring the system into Sarbanes-Oxley compliance will average approximately $200,000 [1]. Using a remote storage backup system may reduce the initial outlay, but will add the ongoing cost of $2-$10 per gigabyte per month.
- Update and maintenance costs for storage hardware and software, about $75,000 per year [2].
- The labor costs associated with updating storage security and validation. The cost for two months of labor by four IT professionals would be approximately $71,250 [3].
- The labor and capital costs of maintaining Sarbanes-Oxley auditing, approximately $80,000 for the first year and $20,000 for subsequent years [4].
The major expected business productivity improvements will normally include:
- Increased ability to access long-term data, allowing for improved trend tracking and prediction.
- Enhanced reporting ability, which can be incorporated into providing more detailed information to key groups if proper security protocols are followed.
Other potential impacts on organization include:
- Higher employee, customer, client and shareholder confidence levels.
Risks of implementing Sarbanes-Oxley storage compliance initiative
A major risk to the success of a Sarbanes-Oxley storage compliance initiative is the loss of archived records through theft of or physical damage to storage media. Each type of storage media has a vulnerability that may cause data loss: optical discs are sensitive to sunlight, hard drives can be damaged by electrical shock, mobile storage devices can be lost or stolen and tapes can be damaged by magnetic fields. This risk can be minimized by taking proper care of storage media, by redundant archiving and by adequate data recovery protocols.
In addition, the storage requirements of Sarbanes-Oxley are not explicitly spelled out. What type of data must be stored, and for how long, is open for interpretation. Until the regulation is more clearly defined, choosing not to save any document, record or correspondence may potentially put the company at risk for noncompliance.
A data archiving system may degrade system performance and be unable to scale to meet changing business needs. In addition, new procedures, systems or interfaces may meet end-user resistance.
The Sarbanes-Oxley and storage compliance initiative
The Sarbanes-Oxley storage compliance initiative will be implemented when the design systems and devices are installed, tested and approved by the project’s key decision maker and the corporate legal and compliance groups.
EXPECTATIONS (OUT-OF-SCOPE)
The following factors, although necessary for the a Sarbanes-Oxley compliant storage initiative to be successful, are not within the scope of this initiative:
- The requirements of the Sarbanes-Oxley Act have been studied and storage and security requirements for data sets have been defined.
- Upper management demonstrates a commitment to internal control of storage security.
- Current corporate policies regarding storage management have been documented and are available.
- The current storage structure is mapped and supporting documentation is available.
- Appropriate data management metrics are defined.
- A storage management structure is in place and a key decision maker has been identified. Roles within and the storage organization and in coordination with other business groups are defined and understood.
- Documentation about other Sarbanes-Oxley compliance initiatives within the company is available.
ANALYZE PHASE
Acceptance Test Considerations The analyze phase will be completed when the initial business case has been accepted by the sponsor, and agreement has been reached to proceed to the design phase or kill the project.
Key analysis milestones
Analysis should take 4-6 weeks for most companies.
1. Actual data security, storage audit, access, retrieval and recovery practices are documented and compared to written policies, procedures and operation goals.
2. Practices and policies are reviewed to determine compliance gaps.
- Legal and compliance teams should be involved in reviewing current practices.
3. Security risks associated with current storage management operations are identified.
- An external security audit should be performed to help find possible security threats and ensure that the storage auditing software & procedures are satisfactory.
4. Current IT, security and Sarbanes-Oxley mandated auditing procedures are reviewed.
5. Data sets to be archived are defined, keeping in mind the Sarbanes-Oxley requirements, the risk of not being able to produce required records, and the cost of storage.
- Legal and compliance groups should review stored data set definitions to make sure they show a good faith effort at compliance.
DESIGN PHASE
Acceptance Test Considerations The design phase will be completed when the Sarbanes-Oxley storage compliance design has been accepted by the sponsor and agreed to by the key application user groups, and agreement has been reached to proceed to the deploy phase or kill the initiative.
Key design milestones
The design phase should take 8-12 weeks for most companies.
1. Storage management policies are updated to reflect Sarbanes-Oxley regulations and identified risks.
- Legal and compliance teams should review and approve changes.
- For compliance, policies must be documented and followed.
2. Data storage security procedures are designed in line with new policies and Sarbanes-Oxley requirements.
- Reporting procedures in case of a storage security breach are defined.
- Processes to validated the accuracy of reported information in the case of a security breach are documented.
- Access to data must require identification and authentication.
- Satisfactory storage audit software & procedures are in place for physical and logical volumes, and physical storage audit systems are in place for storage arrays.
3. Protocols are designed to recover stored data, report on losses and validate the accuracy of reported information in the case of disaster.
4. Data backup choices are reviewed and an appropriate system or systems are identified.
- Tape backup is both inexpensive ($0.25 to $0.40 per gigabyte) and removable. The hardware required can be quite expensive. Saving data can be a slow process (1 MBps-10 MBps), as can retrieval. Data on tape can be damaged by magnetic fields.
- Hard disks offer fast writing (10 MBps to 30 MBps) at approximately $1 per gigabyte. Hard disks have high storage capacity, which allows for automated backups, and can be easily accessed for data retrieval. Some storage hardware has write-only WORM capability.
- “JukeBox” Optical storage (CD-R/DVD-R) costs about $0.10 to $0.20 per gigabyte. However they can only store 700MB (CD) or 4.7GB (DVD), so automated or unattended backups are impractical. For storage, using write-only discs help comply with the Sarbanes-Oxley requirement to prove that data has not been tampered with.
- Mobile devices such as thumb drives, pocket drives and flash memory are usually unsuitable for secure backup of corporate data. Although their portability makes it easy to transport backup records off-site, their relative storage capacity is low and expensive at $30 to $100 per gigabyte.
- Remote backup systems allow companies to transfer data to a backup provider who manages manual storage activities and maintains the data off-site. The price and reliability of remote storage depends on the provider, but costs usually range from $2 to $10 per gigabyte per month.
5. Storage indexing and retrieval systems are researched and designed.
- Requested data must be available to oversight agencies on demand.
6. A backup and purging schedule for records, based on the Sarbanes-Oxley compliance requirements, is designed and documented.
- Depending on the type of records, required archival time may be up to 30 years.
7. A storage auditing plan is developed within the company’s overall auditing framework. A COSO (Committee of Sponsoring Organizations of the Treadway Commission) suggested auditing framework would include analyzing the following:
- Control Environment: Evaluate the discipline, structure and ethical tone of the company with regards to storage compliance.
- Risk: Identify threats to the storage system.
- Control Activities: Procedures are in place to control risks.
- Information and Communication: Make sure that everyone involved in the system is properly trained and that information flows effectively.
- Monitoring: Perform routine evaluations to make sure the storage system continues to meet the initiative goals.
DEPLOY PHASE
Acceptance Test Considerations
The Sarbanes-Oxley storage compliance initiative will be deployed when the design systems and devices are installed, tested, documented, and approved by the project’s key decision maker and the corporate legal and compliance groups.
Key milestones
Deployment should take 4-6 weeks for most companies. Companies with significant amounts of data to backup may take significantly longer.
1. Data storage security procedures are installed and documentation is updated.
- Validation and reporting processes are in place.
2. Data is backed up and stored.
- If archiving data is to be completed in-house, backup hardware and media are purchased and installed. Regulated data is copied to backup media and stored, preferably offsite.
- If using a remote backup system, data is transferred to the backup provider.
3. Disaster recovery, reporting and validation processes are implemented and tested.
4. Storage indexing and retrieval systems are installed and tested.
5. Auditing plan is implemented.
6. Sarbanes-Oxley storage compliance initiative is documented and reviewed by legal and compliance teams.
Initiative summary
Storage compliance is a key consideration and expense when embarking on a Sarbanes-Oxley initiative. Bringing storage into compliance may cost initially between $200,000 and $400,000, depending on the degree to which existing systems need to be updated. Ongoing expenses will often exceed $100,000 annually. Such efforts are complicated by the pressures to store all electronic content for much longer periods and recreate the process by which it was created.
Footnotes
[1] The Total Economic Impact of SQL Guard; Forrester Research, Incorporated; Dan Merriman and Sadaf Roshan; April 2006.
[2] ibid.
[3] Based on median salary of $85,000 for a database administrator in Columbus, Ohio from salary.com, plus 25% for benefits.
[4] The Total Economic Impact of SQL Guard; Forrester Research, Incorporated; Dan Merriman and Sadaf Roshan; April 2006.