Whether it’s protecting privacy, ensuring security, tracking access, or following retention policies, todays data center must stay compliant, aligning IT capabilities with business needs.
More and more businesses are finding themselves in a compliance quagmire. Often complex and time-consuming, compliance requirements are driving an insatiable need for storing current and historical data. These ever-changing requirements can make it hard for your customers to stay ahead of the game.
While highly regulated industries, like healthcare, government, finance and banking have well-defined regulations for storing, sharing, protecting and accessing data, not all industries and companies have such clear standards, and that’s where it can get muddy.
Here are three steps you can take to ensure your customers stay abreast of compliance regulations and maintain their ability to access the data they need, when they need it.
1. Be Proactive and build compliance into your data center design
- Understand industry regulations – It’s important to understand the U.S. data protection compliance regulations specific to the industry you’re working in and make sure your data centers solutions are compliant. Here are some examples:
- The Health Insurance Portability and Accountability Act (HIPAA), established national standards to protect individuals’ privacy regarding their medical records and personal health information. It requires comprehensive access control, an audit trail of who has accessed the information, and appropriate disposal of documents once the retention period is up. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html?language=es
- The Sarbanes-Oxley (SOX) Act is mandatory for all organizations and was created to improve corporate financial disclosures and prevent accounting fraud. http://www.soxlaw.com/
- The Payment Card Industry Data Security Standard (PCI DDS) – a set of 12 security controls that any business who handles payment cards (credit or debit) is required to implement and follow. http://searchsecurity.techtarget.com/definition/PCI-DSS-12-requirements
- Define the internal organizational policies and compliance requirements – Establish a partnership between the company’s compliance and legal officers, senior leadership, and IT proponents. Be aware of all specific corporate compliance policies, including retention and destruction requirements so they are included in the initial design to save time and costly changes after the fact.
- Get the right people at the table – As Compliance entails the protection, storage, access, or reporting of data, more than one area of IT and more than one vendor may be involved, so you’ll need to define all the players at the beginning of the process. Look for business opportunities across networking, software, servers, storage, and electronic and physical security solutions.
2. Create Data Tiers
Data tiers help prioritize the data by level of importance and access frequency while defining the type of security and storage options that are needed. The number of tiers is subjective and depends on the number of different data types in your customers’ enterprise. The more tiers you create, the finer the level of control, but it also adds complexity. For efficiency, also consider a storage management system that automatically moves data between tiers. To get started:
- Identify and catalog data assets – In this step you’ll want to classify the data based on levels of importance, sensitivity, security, and frequency of use. For example, data that is critical to daily operations and accessed frequently, like transactional data, will have different storage requirements than information that is needed infrequently, for example, older legal documents which may only be needed under special circumstances. You’ll also need to determine whether the information needs to reside onsite, or can be stored at a remote location. And equally important, plan for not only for today, but also for what you anticipate you’ll need in the future.
- Identify documentation and record retention requirements – Industry, federal, state, and local and government requirements will define the length of time records need to be stored. At this point, you’ll determine what types of storage are needed to develop a legally credible data retention schedulein tandem with policies that address information privacy, security, and disposal.
- Create your tiered storage hierarchy – In most cases, this can take months to conceive, build, test and refine. During this time, expect some departmental competition as you set up the tiers.
- Establish access policies – Define who has access to the data and what tracking capabilities are necessary. The system should be able to track who has accessed the data, when the data was accessed, and whether any changes were made.
3. Identify Compliance Solutions and Revenue Opportunities
Building a compliant data center offers opportunities for an integrated solution and consultation services that include physical and electronic access, video, storage, and security, providing the opportunity to for your business to partner with more than one vendor.
- Physical and Electronic Security Opportunities – Only authorized personnel should have identification-controlled access to the data center and locked racks. High availability infrastructure should be a key consideration to ensure uninterrupted availability of data and applications. This can be achieved by implementing an automated backup and disaster recovery plan to an offsite location, redundant network, and redundant power. Lastly, devices and sensors that track access as well as bio-metric identification also offer physical security add-on options.
- Training – Education around the importance of adherence to policies will help prevent accidental destruction of relevant information. Staff should understand that information is discoverable, even deleted files can be requested by legal entities.
- Storage Options – These solutions need to include ways to store and recover both electronic and video files and provide efficient methods to access and search for data. Deleted data, meta data, voicemail, temporary files, all forms of e-mail, backup tape, and other forms of electronic information are admissible and discoverable in a court of law. Tiered storage offers cost-effective ways to offload infrequently accessed data to secondary, less costly storage solutions.
Storage solutions vary in their capabilities, speed, and pricing. The goal is to create options for putting each data set into the lowest-cost storage possible while meeting access speed requirements:
- SSD (Solid State Drives) – offer the latest technology and the highest level of reliability, speed, and quick access to data. They also save on power consumption and are well suited for tier one data needs.
- SAS (Serial Attached SCSI) – are more cost effective than SSDs, operate at lower speeds, and are a good choice for important data that doesn’t require access as often.
- SATA (Serial ATA) – is more cost effective than SAS, but operates at slower speeds. This is a good choice for data that is accessed less frequently.
- Hybrid Cloud Storage – an option for customers who don’t want to invest in the cost of purchasing onsite storage components. It’s a good choice for disaster recovery, although speed is heavily reliant on network switching.
- Tape and electronic media – a cost effective choice for long-term storage and infrequently accessed data, but can be challenging to preserve integrity over time.
Meeting compliance requirements will continue to be an ongoing and necessary part of data center designs. Let Tech Data help take the complexity out of compliance with solutions that are up to the challenge. For more information, contact email@example.com.