Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Storage & Clustering Community Blog

Is ‘Good Enough’ Technology, Good Enough for Compliance?

Created: 10 Dec 2012 • Updated: 11 Jun 2014
dennis_wenk's picture
0 0 Votes
Login to vote

Difficult economic conditions lead to fiscal belt tightening, however, the ever-increasing demand for data continues; accelerating the requirement for hardware to manage the data.  Big data and its appetite for hardware become prominent line items which appear like ripe, low hanging fruit to many cost-cutters.  Buying low priced, ‘good enough’ or mediocre equipment starts to emerge as an opportunity to reduce a burgeoning budgetary item.  Price of the hardware however, is only one part of the total cost equation.

Low-cost gear costs less not just because of limited functionality; it is lower cost because a number of engineering short cuts are taken during manufacturing.  For example, using lower-tolerance components that have higher failure-rates or removing redundant components are common ways to reduce production cost.   These short-cuts, however, negatively impact overall reliability and increase the failure rate.

Lower reliability means a greater number of outages; outages that require restores, rebuilds, restarts, and reboots. The extra expense of these recovery actions as well as the lost productivity of diverting attention from more important productive activities can quickly exceed the one-time savings gained from buying cheap equipment. 

Mediocre equipment can cause much greater danger to the organization than just increasing operating expense. Mediocre devices have a greater vulnerability to reliability problems and, therefore, they expose the organization to a higher level of data integrity risk and, more seriously, expose the organization to the risk of data loss. 

Data is not an off-the-shelf commodity; you can’t buy replacement data if it is lost. Without a duplicate copy of critical data the loss is irreversible and permanent.  In addition, transactional data has not only increased in both value and volume but the reconstruction of transactional data is much more difficult if not impossible without a duplicate copy.  The reason transactions must be duplicated is because there is no longer a hard-copy source for the transaction, most transitions come directly from over the network.

Data is one of three irreplaceable corporate resources, Loss of time and loss of life being the other two irreplaceable resources.  ‘Oh, come on, really; compare loss of data to loss of life?’  Research has shown that over 50% of companies that lose critical business systems for more than 10 days never recover, 43% of companies experiencing a disaster never reopen, and 29% of the remaining close within two years.  Going out of business, that’s death of a corporation.

Technology is tightly woven into the operating fabric of the today’s organizations and in many ways technology has become the business.  Using mediocre, ‘good enough’ equipment creates an untrustworthy business environment for critical corporate information by placing vital data at risk. Good enough equipment not only increases operational risks but it creates a material internal control weakness by contributing to data integrity problems and increasing the risk of data loss.  The risk of data loss compromises compliance with a growing number of governmental regulations.

The heart of this growing government regulation of business is internal controls and operational risk.  Not since the Nixon-era’s Foreign Corrupt Practices Act (FCPA) has so much attention been given to corporate governance. These new regulations have a big bite and very sharp teeth.  The Sarbanes-Oxley Act holds senior executives personally liable and can result in penalties of up to $1 million in fines, up to 10 years in prison or, both. To say the least this has gripped the attention of all corporate senior officers

Sarbanes-Oxley Section 302 addresses material weakness in internal controls.  A material weakness is a condition in which there is a high probability that material financial errors, irregularities, or risk events could occur and not be detected by employees or existing control processes. Implementing acceptable internal controls is the key to satisfying the requirements of Sarbanes-Oxley.  Although most IT organizations set policies and practices to limit vulnerabilities and reduce security incidents, this best-effort scenario is no longer enough for the federal government. An untrustworthy operation leads to serious noncompliance implications in today’s corporate governance environment.  Is a nominal, one time savings from purchasing mediocre equipment worth the risk of prison?

Sarbanes-Oxley controls are not unlike those found in the Gramm-Leach-Bliley Act (GLBA) of 1999 and the Health Insurance Portability and Accountability Act (HIPPA) of 1996 that were enacted to safeguard data against unauthorized and improper use.  However, in this case the SEC is squarely focused on corporate accountability.  Negligence, ignorance, or a ‘good enough’ effort is no longer acceptable under this new law.  Blind trust in an IT system will not be an acceptable defense.  The law formally establishes corporate responsibility to create and maintain controls to identify and manage risks that result in inaccurate data.

Technology is tightly woven into the operating fabric of today’s organizations and in many ways technology has become the business.  Internal controls are largely in the realm of IT and compliance is no longer an option for the modern organization. Sound internal controls include policies and procedures to maintain accurate records, properly record and report transactions; and safeguard assets against unauthorized or improper use. Since mediocre equipment puts data in jeopardy; ‘Good enough’, mediocre equipment is not really ‘good enough’ for compliance.

If mediocre equipment weakens an organization’s internal controls then its reverse, an increase in quality, would also be valid.  Quality has value with respect to compliance. Quality solutions improve operational effectiveness by reducing operational risk and strengthening internal controls.  Quality solutions with superior high quality design standards including redundancy of critical components which will increase the protection of data assets by sharply reducing the likelihood of data loss.  Quality is technology’s ‘Keep Out of Jail’ card.

 

Blog Author:
Mr. Wenk is Principal Resiliency Architect for Symantec’s Storage and Availability Management Group. He has consulted worldwide with large Fortune 500 customers; Generating demand for Cloud Infrastructures and architecting private cloud solutions for technology-intensive organizations in over 20 different countries; tackling some very challenging, complex, and ambiguous problems. His experience includes developing architectures and strategies for highly available, resilient and secure infrastructures in heterogeneous IT environments. He has performed quantitative operational risk assessments that were used to justify the significant investments required to build, transform and maintain resilient infrastructures; he has performed technology assessments, IT consolidation and transition strategies, and developed site selection criteria for complex heterogeneous technology consolidations. In addition, he has developed charging methodologies, performed capacity planning and performance evaluations in large, complex IT environments. Dennis has developed a number of risk-based services that quantify the return on technology investments that increase resiliency and improve continuity programs. His background includes experience with EMC Consulting as Senior Cloud Architect and with Hitachi Data Systems as Principal Global Solution Architect for High Availability Solutions, IBM Global Network as an Outsourcing Project Executive; Comdisco where he was Western of Director Technology Consulting; KPMG where he was Senior Manager, Group Leader for IT Operations and Transformations, as well as Heller Financial where he served as VP/Information Processing. Dennis Wenk earned an MBA in Accounting and Finance, BS in Computer Science from Northern Illinois University. He is a certified Information Systems Auditor (CISA), Certified Data Processor (CDP), and Certified Systems Professional (CSP), certified in ITIL Service Management. He was awarded Best Management Paper by Computer Measurement Group, and currently he sits on the Advisory Board for Continuity Insights and Serves as their Technology Chair. He has held the Cloud Special Interest Group Leader for the Outsourcing Institute and the Business Continuity Focus Expert for Information Technology Infrastructure Management Group. He is an advisor to Business Continuity Services Group. Dennis has written award-winning professional articles, white-papers and has been published in Information Week, Computer Performance Review, Trends and Topics, Continuity Insights, Infosystems, Computer Measurement Group, and DR Journal. He is a regular speaker at world-wide industry conferences. Some current topical expertise include; ‘3 Simple Complexities of Data Protection’, ‘Think About Never Failing, Not How To Recover’, ‘Focus On The Largest Source Of Risk: The Data Center’, ‘Risk Economics’, ‘Gaining Competitive Advantage: The Myth of the Resiliency Paradox’, ‘Eco-Friendly Data Center’, ‘Virtualization, a Resiliency Enabler’, ‘Economic Impact of Interruptions’, ‘Risk-based Business Continuity’, ‘High-Stakes Business Impact Analysis’, ‘A Risk-Based Approach to Internal Controls’, and ‘Resiliency: Clearing the Five Nines Hurdle’.