Marco T' Chou - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

Marco T' Chou

Description:

Health Insurance Portability and Accountability Act (HIPPA) ... Employee and medical records of individuals exposed to toxic substances 30 ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 19
Provided by: Mar806
Category:

less

Transcript and Presenter's Notes

Title: Marco T' Chou


1
Enterprise DATA Protection
  • Marco T. Chou
  • Sr. Planning Consultant
  • Allstate Insurance Company
  • 3075 Sanders Rd., G2E
  • Northbrook, IL 60062-7127
  • (O) 847-402-2720
  • (C) 847-226-2263

2
What are the two most important words in IT?
Data Protection
  • Agenda
  • Stay In Business (Backup and Recovery)
  • Guidelines for Developing RTO and RPO
  • Components of Recovery Time
  • Recovery Technology Methods
  • Trade-offs Between Tape and Disk Recovery
  • How To Size Recovery Infrastructure
  • Moving Data To The Mountain
  • Do You Know Where Your Data Is?
  • Stay Out Of Trouble (Regulatory Compliance)
  • Information Lives, Moves and Changes
  • Information Protection
  • IT Requirements for Data Access Accountability
  • Summary

3
Developing RTOs and RPOs
  • These are driven by defined business requirements
    (ie. SLA)
  • These requirements are often about survival
  • (RTO) Recovery Time Objectives The target time
    to return a business process to an acceptable
    functional state following a disruption.
  • (RPO) Recovery Point Objective The point in time
    prior to the disruption to which data will be
    recovered.
  • Can be done by getting a handle on the exposures
    faced by a business
  • Financial, Operational, or Legal Exposures
  • Can be achieved by a formal Business Impact
    Analysis (BIA)
  • Measured by time lost, cost of downtime and cost
    of lost data

4
Components of Recovery Time
  • Recovery Time must be measured from when business
    functionality is lost, to when it is restarted in
    an acceptable form.
  • These phases include
  • Declaration
  • Transportation (people, equipment, tapes)
  • Manual
  • Electronic
  • Reconstruction of servers
  • Reloading of data
  • Restoring of applications and networks
  • Some phases run in parallel, many do not
  • Consider issues with each phase for your site
  • What are your options? Is there a better way to
    do it?
  • Whats the price tag?
  • Factors that affect these times are
  • People, Process, Procedure
  • Technology, throughput, bandwidth, etc.
  • Business Recovery Plans

5
Recovery Technology Methods - Server
  • Cold (Hours - - gt Days)
  • Reload from tapes
  • Reload from network images
  • Rebuild from scratch
  • Lengthy process but less expensive
  • Significant impact to business, users, and
    customers
  • Warm (Minutes - - gt Hours)
  • Reconfigure for production
  • Reboot off alternate internal drives
  • Moderate impact to business, users, and
    customers
  • Hot (0 - - gt Minutes)
  • High availability clusters
  • Instant fail over
  • Fast but expensive
  • Least (or NO) impact to business, users, and
    customers

6
Recovery Technology Methods - Data
  • Tape
  • Tape Cloning for Remote Storage
  • Remote Tape Vaulting
  • Manual
  • Electronic
  • Disk
  • Application Based Replication
  • Database Based Replication
  • Storage Controller Based Replication
  • SAN Based Replication

7
Trade-Offs Between Tape and Disk
  • Disk based recovery
  • Is an on-line recovery
  • Instant access
  • Allows for hitting much tighter RTOs and RPOs
  • Tape based recovery
  • Is an off-line recovery
  • Must load, configure and read the data before
    it can be accessed
  • Lengthy process
  • Through-put rates
  • Read from disk vs. read from tape
  • Removable Media
  • A tape can be taken out of the library and taken
    to the recovery site
  • A tape can be dropped, broken and lost and you
    may not know it
  • Ability to store vs. ability to access
  • Tape capacities increased 10 fold, but access
    rate increased 3 fold
  • Consider the Value of Your Data

8
How to Size Recovery Solutions
  • Driven by many factors
  • Recovery Objectives
  • How quickly must recovery be achieved?
  • How much be recovered? GBs vs. TBs 5 vs. 50
    servers
  • How much data can you afford to lose?
  • Backup window Downtime for applications (SLA,
    of 9s)
  • Network Bandwidth
  • Between sites (Cold, Warm, Hot)
  • Within sites
  • Resource and availability
  • Server capacity
  • Tape drive
  • Costs of technology
  • HW, SW, Storage (Disk/Tape), Network, Vendor
  • Must be done year by year prices drop and
    technology changes

9
Moving Data To The Mountain
In the 1950s, a Pennsylvania mine served as a
bomb shelter for companies executives and
records.
10
Today, a data center in the former mine receives
archival records over the Internet.
Reference www.IronMountain.com
11
Do You Know Where Your Data Is?
  • Putting the Right Infrastructure in Place
  • Compliance with electronic records retention
    regulations, whatever their source
  • Storage medium
  • Options Tape, magnetic disk, optical disk
  • Considerations Security, data integrity, costs,
    performance, accessibility, searchability
  • Applications
  • Must comply with the relevant regulations
  • Capabilities Records protection, online
    indexing, categorization, search, audit
  • Policies Procedures
  • How data is to be moved and stored
  • How and when authorized IT and other personnel
    can access and modify data
  • If and when data should be destroyed after a
    certain retention period
  • Must ensure that unauthorized employees do not
    have the ability to inappropriately access,
    alter, or delete records

12
Information Lives, Moves and Changes
  • Information is Alive The Blood of Your Business
  • Changes over time
  • Information is different
  • Information Protection Isnt About Cost Its
    About Business Value
  • Different Value
  • Classify Your Data
  • Tier your storage level
  • Manage Growth
  • Protection Backup, Access Control
  • Regulatory Compliance
  • Faster Recovery
  • Costs
  • What factors impact information value?
  • Legislation
  • Business Processes
  • Data Purpose Change
  • Litigation and Audits
  • ILM (Information Lifecycle Management)

http//www.emc.com/ilm
13
Information Protection Why Now?
  • Existing Regulations
  • IRS
  • Securities and Exchange Commissions rule 17a-4
  • Requires financial services companies to archive
    all electronic communications, including e-mail
    and instant messages.
  • Gramm-Leach-Bliley Act
  • Banks are facing higher data demands on privacy
    rules
  • New Regulator Drivers
  • USA Patriot Act Anti-money-laundering (Bank)
  • Sarbanes-Oxley Act (SOA)
  • Health Insurance Portability and Accountability
    Act (HIPPA)
  • California Security Breach Notification law
  • Higher Marketplace Expectations
  • Whats CIOs Thinking
  • Here are the most important IT management issues
    that CIOs will confront in 2004 (ComputerWorld
    1/26/2004)
  • Sarbanes-Oxley Act
  • Security
  • Project prioritization
  • Continued focus on cost
  • IT sourcing

http//www.computerworld.com/securitytopics/securi
ty/recovery/story/0,10801,89378,00.html
14
Where to Start
  • No Magic
  • No shrink-warp
  • No turn-key solution
  • No one-size fits all
  • Wont happen over night
  • Understand the consequences
  • Objective Phased Approach (Divide Conquer)
  • Form team of stakeholders
  • Company culture and business process change
  • Executive sponsorship
  • Funding and resource
  • Interpret applicable regulations requirements
  • Legal assistance
  • Outside perspectives peer practices
  • Decide approach methodology
  • Risk mitigation

15
What Applies To Your Business?
  • Confusion on Interpretation, deadlines, and
    implementation
  • SEC 17a-4 Every member, broker and dealer shall
    preserve for a period of not less than 6 years,
    the first two in an easily accessible place, all
    records required to be made
  • Sarbanes-Oxley Internal Controls now
    interpreted to mean Internal financial reporting
    controls
  • Automation vs. Manual process

16
Compliant Record Retention Periods Increase
Records relating to manufacturing, processing,
and packing of drugs and pharmaceuticals 3
years after distribution
Pharmaceutical/Life Sciences
Records relating to manufacturing of biological
products 5 years after end of manufacturing of
product
All hospitals must retain medical records in
originally or legally produced form 5 years
Healthcare (HIPAA)
Medical records 2 years after patients death
Financial Services (SEC 17a-4)
Financial statements 3 years
Member registration for broker/dealers
End-of-life of enterprise
Trading account records End of account 6 years
Employee and medical records of individuals
exposed to toxic substances 30 years after
completion of audit
OSHA
Original correspondence from financial audits of
publicly traded corporations 4 years after
completion of audit
Sarbanes-Oxley
  • 1 2 3 4 5 10 15
    20

Source Enterprise Storage Group, 5/2003
17
IT requirements for data access accountability
  • Who did what to which data when, and by what
    means?
  • IT Should be partner of the compliance
  • Finance people and auditors are leading
    Sarbanes-Oxley initiatives
  • Documentation and analysis will identify gaps in
    business process and shortcomings in IT
  • Technology is not the starting point
  • Efforts must begin with a business perspective
  • Take a comprehensive look at internal controls
  • Consider all systems generate financial reports,
    e-mails, store information
  • Be notified when someone changes database schema
    or permissions
  • Keep a record of all changes to schemas and
    permissions
  • Know what data was changed, when, and by whom
  • Know who has viewed certain data and when
  • Generate periodic reports on who accessed certain
    tables
  • Investigate suspicious behavior on certain tables
  • Know who modified a set of tables over a period
    of time
  • Automate procedures across multiple servers

18
Summary
  • Understand business requirements and regulations
  • Establish policies and procedures
  • Consistency and Integrity
  • Validate procedures and processes periodically
  • Document everything
  • Security, privacy, access control, change
    management, risk control
  • Prove that electronic systems
  • Work reliably and consistently
  • Produce and maintain reliable, trustworthy and
    authentic records
  • Have audit trail capabilities
  • Make sure its accurate and easy to retrieve
  • Buy more storage, store more data, and keep it
    longer
  • Recommendations
  • Plan for regulatory compliance expenditures
  • Standardization and consolidation can help reduce
    overall cost of compliance
  • Prioritization
Write a Comment
User Comments (0)
About PowerShow.com