Why storage compliance should occur in later stages of an IT compliance process

The storage infrastructure is being adapted for IT compliance initiatives, but storage products are one small set of components in the bag of tools for a firm's compliance efforts.

By Chris Mellor, Contributor

What does IT compliance mean and how is compliance affecting storage infrastructures in the UK?

"When I use a word," Humpty Dumpty said in Through The Looking Glass, in a rather scornful tone, "it means just what I choose it to mean, neither more nor less."

The term compliance has a very simple top-level meaning -- being compliant with something -- and a veritable host of specific meanings, depending upon the environment in which an organisation operates. Some of these meanings are vertical market-only; others apply to all businesses.

Compliance implies a statutory requirement, a compliance authority with powers to monitor compliance, and penalties for failing to meet compliance needs. For example:


  • The Financial Services Authority (FSA) regulates the UK's financial services industry and has a range of rule-making, investigatory and enforcement powers to meet its statutory objectives. Any organisation engaged in financial services has to be compliant with its regulations.
  • The movement, processing and storage of CFC refrigerants is governed by legislation, and organisations engaged in it have to be compliant with CFC regulations.
  • Solicitors and barristers have to be compliant with Law Society strictures.
  • Data Protection Act compliance.
  • Software license compliance.

Compliance is an important topic at Irwin Michell, one of the UK's top ten law firms. "We have our own compliance team, a risk assessment function and a partner focused in it," says Richard Hodkinson, Group IT and Operations Director. "We take it very seriously … we have to be extra, extra careful about it … Risk management is quite a hot subject for our professional indemnity underwriter."

Hodkinson thinks that the storage infrastructure contribution to IT compliance is one of the last things needed. "Getting policies and principles right is where it all starts," he says. "You've got to have a management system, with a high-level sponsor. Without buy-in from the top, you're on a hiding to nothing. Anything else that the IT people do is messing about in the margins."

Compliance for Hodkinson applies both to paper and electronic records, which poses a problem: Software compliance products don't cover paper records.

Furthermore, there will be several separate electronic repositories. Hodkinson says you can satisfy some storage compliance needs with e-mail vaulting, citing Symantec. Big businesses can use document management products like Interwoven. But there isn't one product that does it all, that unifies the separate compliance silos.

Storage compliance products are just one small set of components in the bag of tools available for a business' compliance efforts. Some software tools are well-rounded in specific areas. RefCom from Welplan covers the compliance needs of firms involved in moving, storing and processing refrigerant gasses. But it doesn't cover any other compliance functions which those firms might find necessary.

Brian Bennett, managing director for North Europe for archiving software supplier Mimosa and an ex-lawyer, says, "Our job is to provide the tools to enable organisations to meet their compliance requirements, to make that storage as painless and as cost-effective as possible."

Bennett supports Hodkinson's view of storage as being at the end of the IT compliance process with the first need being to understand your legal obligations. A legal consultancy can tell you what compliance regimes you are subject to. "You need to adhere to this or that legislation," Bennett says. "They'll read the riot act and scare you witless but they can't say what kit to use. The law firm doesn't know about IT."

Then decide upon your specific IT compliance policies, followed by the procedures needed to implement them. "You have to deal with all the stakeholders and their concerns," Only then does the storage infrastructure start getting looked at.

IT vendors will tell you what kit to use but they don't know about what laws apply: "Blending the two together is the secret … There is an increasing breed of lawyer who is more IT-savvy. But they don't and can't advise on IT infrastructure components."

Bennett thinks the IT compliance burden in the UK is growing. There is a current review of the Companies Act in relation to the keeping of financial records and he anticipates that a light form of the US Sarbanes-Oxley regulations will be imposed. At the European Union level he mentioned the EU 8, a set of directives to apply a similar framework for the EU generally.

Storage products are just one small set of components in the bag of tools available for a business' compliance efforts.



 Bodies such as FAST (the Federation Against Software Theft) would like UK businesses to increase their attention to IT compliance with software licensing. Phil Heap, FAST's Director of Services, said, "We're all using billions of pounds of software and have a legal requirement to be compliant. Part of (any) IT governance strategy should be software license compliance."

FAST offers a Compliance Programme to help companies put their software license house in order, "with around 2,600 companies going through the programme at any one time. It's still the tip of the iceberg." Heap asserts that "businesses should regard software compliance and asset management as being integral to the responsibilities of a compliance officer and join the FAST programme."

Software products are emerging for to support enterprises' compliance functions. CA, for example, has GRC Manager (GRC stands for Governance, Risk and Compliance). Its purpose is to help support the central management of risk and compliance initiatives across an enterprise. CA has also a coming Software Compliance Manager product focussed on software license management, which will please Heap.

Slowly IT products are being developed to help compliance functions but compliance is, at present, intrinsically a collection of silos, and differing silos for different businesses. "Most businesses have different pots of data," Hodkinson says. They "need to be sure they are taking a holistic approach." No one software product covers it all.

That is why storage should be at the end of any process developing a compliance function. Understanding your compliance exposure, and then developing policies, principles and procedures, come first, with buy-in and sponsorship from the top of the business. Surveying, selecting and obtaining IT storage infrastructure products to support these comes last.

The whole aim is to help prevent a business from falling off its compliance wall, like Humpty Dumpty, and having expensive remedies needed to put things back together again. But you will only understand what tools you need when you understand the detailed scope of your compliance exposure.

About the author: Chris Mellor has been active in storage writing for many years, editing the UK's first print storage magazine, then its first dedicated online storage news channel, and is the founder of Blocks and Files.

Read more on Data protection regulations and compliance