iQoncept - Fotolia
- Jason Buffington, Enterprise Strategy Group
Compliance mandates dictate how you should conduct operations or, at the very least, define how someone else believes you should. That "someone else" could be senior execs, a board of directors, the legal department, or external agencies or industry groups.
With so many potential stakeholders, many businesses end up having to follow multiple unaligned regulations. A publicly traded pharmaceutical maker in the U.S., for example, may be simultaneously subject to retention rules handed down by the Securites and Exchange Commission, the Food and Drug Administration, the Department of Agriculture and the Drug Enforcement Agency.
Also, some regulations include language related to data protection requirements without being precise regarding the method. Rather, they focus almost entirely on the outcome. In other words, these regulations won't instruct you to use specific software products or storage media; they just tell you what your retention durations and destruction standards must be.
Whatever a regulation says or doesn't say regarding the specifics of data protection requirements, if you rely on backup administrators to ensure adherence, you've already failed. Typical backup admins don't have enough visibility into every task related to data protection requirements and internal policy to ensure compliance. For example, a vAdmin rather than the backup admin might oversee protection of certain virtual machines. Or perhaps a database administrator may be the person who ensures a particular mission-critical database properly replicates off-site. Backup admins sometimes aren't even aware of every regulation that needs to be followed.
That's not to say backup admins aren't a crucial part of compliance. They are. But other equally important participants factor into the equation:
- Application and workload owners (e.g., database administrators). They manage how applications should be maintained for uptime by following best practices for data management.
- Infrastructure managers (e.g., vAdmins or IT operations staff). They oversee how servers are provisioned and maintained.
- Business unit leaders and non-IT employees. They supervise various teams who rely on the IT infrastructure and create or use regulation-affected data.
- Compliance teams. They comprise HR staff, internal legal staff, and external auditors and attorneys.
Each group plays an indispensable role in achieving compliance because, in most organizations, one group's perspective is usually neither wholly understood nor a primary focus of the others. Some people understand the regulations. Others understand the data. Some know the platforms. Others know how data and platforms alike must be protected and recoverable to ensure availability.
The key is communication
The single most important part of compliance is communication.
The process starts with compliance teams becoming educated on applicable internal or external regulations and desired outcomes. Particularly when outside mandates are in play, consider developing a comprehensive table -- a requirements "superset" -- listing each mandate. Revalidate the list semiannually to ensure it remains accurate.
Some regulations may conflict with others, but that is a rare case when it comes to a single data set. (For example, a federal law may conflict a bit with a state law. In that case, the organization's legal team might need to determine which regulation supersedes the other or otherwise establish how to proceed in a manner that achieves "regulatory harmony" defensibly.)
After identifying what adherence outcomes must be achieved -- for example, ascertaining that a certain record type should be preserved for seven years instead of six -- communication between the compliance team and other groups within the organization should continue. Plan to provide some education regarding what needs to be done and why it's important (i.e., conduct training sessions and provide participants with referenceable handouts that describe relevant regulations and offer business-level context regarding why those rules exist), then trust the other teams to develop viable ways to achieve compliance -- for example, by updating the records management procedures that are specific to their business units.
Additional regulation-related best practices
Now that you've collectively developed plans to align your data protection requirements and compliance efforts, two more actions come into play:
- Inspect what you expect. There are two ways to test for compliance: "looking to pass" and "looking to improve." Regarding the former, if you only strive for green checkmarks, you may find them, sure, but you could still fail on a larger scale. Instead, seek out those red X's, albeit in a safe and collaborative manner. By doing that, you'll have a better chance of passing your audits and achieving what you need to when you really need to.
- Seek out outside expertise. The difference between knowledge and wisdom is experience. Your teams may have the composite knowledge to align IT and business processes with applicable mandates, but outside experts with proven compliance experience will help you effectively assemble all the pieces of the puzzle when it comes to data protection requirements and compliance. For example, they can share their own interpretations of how a given mandate has influenced IT and business processes at companies elsewhere.
To sum up, don't rely solely on a backup admin to maintain an entire organization's compliant status. Emphasize communication and follow through with training. Don't despair if you encounter a red X during an internal audit; it simply means you have the chance to fix that issue before it becomes an expensive problem. And take advantage of the real-world knowledge of outside experts. They can help you avoid pitfalls you didn't even know existed.
In this way, you'll confidently implement and ultimately succeed in ensuring compliance for your organization.
Five steps to data protection and privacy governance
Hospital iPad security, data protection guidelines
Data protection policies must blend storage, mobility