IDG Whitepapers: Executive Guide - Guide To Governance And Risk Management - Compliance requirements cause complications (Page 11)

The intent is to make it significantly more difficult for people in the process to perpetrate frauds or propagate errors. For example, consider the process of making cash deposits in a bank and later reconciling account statements: If the same person can do both, he can more easily steal money.

SOX leans heavily on the idea of separation of duties being applied to IT with respect to financial processes and data, yet companies are struggling to keep up with it. Just less than half of participants have a policy dictating separation of duties.

Where separation of duties is impossible because of costs, limitations in the systems or staff shortages, practices such as fuller logging, log auditing and frequent process reviews can serve as a backstop to make up for the lack of real separation.

that the amount of required storage is increasing.

Moreover, a little more than half of our participants kept compliance-related archival data on their storage-area networks for a while before dumping it off to tape, which means that in most places archival data retained only for compliance is occupying prime real estate in the high-speed RAID arrays and SANs of the enterprise.

Further increasing the storage costs of compliance are retention practices. More than a quarter of benchmark participants told us they retained records forever (see graphic, below).

based on legal requirements and sometimes are reviewed regularly, but mostly aren’t. Finally, the remainder retain records for various fixed periods, typically seven to 10 years, or as long as the law requires, potentially plus a few years.

How much is all this records retention costing in terms of increased storage costs? It is hard to say. Reported storage growth rates range into the high triple digits (100+% year over year), with many enterprises attributing records-retention as a significant contributor to that growth.

Storage hardware costs are dropping nearly in half every 18

rising at a rate more similar to that of space consumed.

Compliance tools and
infrastructure

The second half of the compliance-cost equation is technology. Ironically, despite the high costs of having humans perform compliance duties, the overwhelming majority of IT executives in Nemertes’ benchmark weren’t buying tools specifically to assist them in compliance. They are instead relying on existing logging tools to develop audit trails, and existing security tools to maintain access controls.

They are, though, increasingly aware of a sometimes hidden cost in compliance efforts: storage. The steady increase in logging and in meta-data generation around production data, archival data and logs means

These folks have decided that the risks of not having information that might someday be asked for in court outweigh the costs of retaining data permanently, a perspective that’s increasingly valid. Another quarter said that time frames vary according to the kind of information being retained. In some cases time frames are

months (for disk space, at any rate). So despite consumption doubling, with costs halving the overall rate of infrastructure cost increase is probably in the single digits. However, the cost of powering up, cooling off and managing all that extra space is not dropping at a similar rate, so the operating costs of owning and running the storage are

Information protection
and identity management

Either as a part of or in conjunction with other compliance efforts, many participants in Nemertes’ benchmark are grappling with information protection. At its base, the problem information protection addresses is making sure that information can be seen only by the people who should see it. Clearly, it’s important, and information protection was identified 38.6% of the time as a top security-spending priority in 2007 and 2008.

Information-protection technologies include network and storage encryption, as well as enterprise rights management. Topmost on IT executives’ minds this year is protecting the data residing on enterprise laptops, and encryption is the tool of choice. Solutions range from hard drives with on-board encryption to freeware storage-encryption software to commercial products. About 10% of participants have something deployed or in deployment; more than twice that many are evaluating their options.

Information protection relies on identity management (the ability to keep track of who is who). Identity management was cited by 27.3% of participants as a spending priority in the coming year, and about 60% of those willing to speculate on spending in 2008 expect it to increase.

These projects are intrusive, difficult and expensive, yet also are increasingly seen as unavoidable, especially by large enterprises.