Midrange Stuff, OS/400 Edition

A backup strategy is one of those indisposable items that exist in every IT shop. Whether your company is big or small, it's bound to have some rules in place guiding the duplication of data. Depending on what industry you're in, the federal government is imposing a few sets of additional rules. We recently had the chance to interview backup and recovery expert Tim Kormos of LXI on what OS/400 shops should look out for when it comes to the new federal regulations.

How are companies' backup and recovery strategies being affected by new federal regulations?

First it should be pointed out that a backup and recovery strategy, or a disaster recovery plan, does not address regulatory compliance. Compliance is, or should be, a separate discipline. Backups are done for only one purpose: to recover data in the event of damage, mistake, or hardware failure. The only purpose of compliance, on the other hand, is to retain data as required. In my experience and research, backup and recovery strategies are not being affected [by new federal regulations]. Compliance as a goal is not on the radar of most organizations, primarily because the cost to implement is one that cuts across both the IT organization and the business units. A c-level executive must champion the cause [of compliance], or it will not be addressed.

Which federal regulations should companies be aware of? What types of documents are covered under these regulations?

Compliance has considerable exposure. Healthcare is slowly shifting focus with the implementation of HIPAA [the Health Insurance Portability and Accountability Act]. The financial industries are an exception. [The IRS requires] records supporting filed tax returns to be maintained and to be available regardless of the existence of the original software or hardware, and no exceptions are made for deteriorated media. Every industry has its own set of requirements [when it comes to documents]. Managers who are concerned can usually find information for their specific industry through that industry's trade organization.

Not only e-mail, but instant messages are becoming important data. Government agencies are still grappling with the issue of e-mail. A good rule of thumb is to apply the same rules to e-mail that are applied to paper-based mail.

Which regulations affect specific industries? Have these industries historically been targeted for compliance in their backup and recovery processes?

Sarbanes-Oxley for all publicly traded companies, HIPAA for the healthcare industry, the Gramm-Leach-Bliley Act for the banking and financial industries, and many more. If the industry is governed by a federal regulatory agency, you can bet there are regulations regarding record retention.

What is meant by "control points" within a data backup process? How can companies implement control points in their backup processes?

Control points, to oversimplify the concept, are instances during a process where an action starts and completes, when the completion occurs, or when a document or a transaction is logged electronically or manually, as to the status of the action. "Did it complete normally, or did it fail? What time did it complete?" From that control point, a decision can be made to continue or amend the process. This decision is key to having control of the entire process, and is key to compliance.

These new regulations seem to be mandating good business practices. Do you think this is something that's necessary today, when many companies are struggling to survive?

Yes, I believe that a re-emphasis on good business practices is warranted. It's been my experience that we have a generation of IT managers who have grown up without the benefit of the disciplines developed way back in the '60s. With the decentralization of the CPU, the acceptance of PC- and Unix-based mission-critical applications, and the volume of data being generated today, I feel strongly that proper control standards are not being observed. With the events in recent years, the press--no offense--has focused on disaster recovery. Vendors, on the other hand, have focused on making backups faster and faster. The problem is that industry estimates show that between 40 and 60 percent of nightly backups are not recoverable. Bad tapes, interrupted processes, hardware problems, and in some cases tapes are over written or just plain lost. A distaster recovery plan with failing daily backups is next to worthless. The nice thing about good business practices is that it really costs nothing. It's a matter of looking at what's being done and putting controls in place to ensure backups are done timely and accurately.

Litigation. The data you have stored on backup tapes can be subpoenaed in civil litigation proceedings. So what you have on tape can be used against you, even though the only purpose was intended to be for backup. So even if the record retention archive has been destroyed per a documented schedule, if the data still resides on old backup tapes, your company is required to produce it.

The best strategy is to implement processes that can intermix the two disciplines into a single process. This process must be able to identify the data that is for disaster recovery and the data that is for record retention, then establish specific retention for both, separately. Then, when the archive portion of data expires, the unexpired data can be consolidated with other unexpired data, allowing the expired data to be erased.

What are some common "gotchas" that companies should think about before implementing a new backup and regulatory compliance strategy?

Longevity: Is the supplier going to be in business 10 years from now? Compatibility: Can the data be read five years from now, or will future versions of the backup product be capable of reading the older data? Functionality: Is the vendor actively pursuing compliance as well as backup and recovery as vital components of the product?