In This Issue
- Compliance Audit Looms
- Cost of Non-Compliance
- Potential Security Breach Impacts Business Continuity Plan
New mandated federal laws make compliance a critical component in the management of all business records. Business records are any record, electronic or otherwise, that provides evidence of a company's business-related activities, events, and transactions.
This means the following:
- Electronically stored information - including email messages, attachments, and other data is discoverable and may be used as evidence for or against your organization in litigation.
- Business records email and other electronically stored information that is related to current, pending, or potential litigation must be retained, archived, and produced in a timely and legally compliant fashion during discovery, and the evidence-gathering phase of litigation.
- Businesses are allowed to routinely purge electronic archives of data that is not relevant to ongoing litigation or pending cases. However processes have to be in place to halt this destruction when litigation begins or is anticipated to begin.
- Writing over backup tape once litigation is underway may constitute virtual shredding and lead to allegations of spoliation, or the illegal destruction of electronic evidence.
- To be accepted as legal evidence, email and business records must be preserved and produced in a trustworthy, authentic, and tamper proof manner.
Today, more than ever, companies are confronted with a broad array of electronic document issues, including data retention policies and e-discovery during litigation. Failing to comply with rules regarding such electronic data can cost millions of dollars.
For instance in one case, the SEC alleged that defendant failed to produce tens of thousands of emails sought by the SEC in two investigations. The court entered an 8-page consent judgment against defendant. Three of the major points in the judgment were:
- Defendant was ordered to pay $15,000,000
- Defendant was permanently enjoined from violating Section 17(b) of the Securities Exchange Act of 1934 (requiring a prompt document production, including electronic documents); and
- For one year, Defendant, at its own cost, was ordered to hire an independent consultant (acceptable to the SEC) to review and evaluate defendant's policies, procedures, and training in order to comply with the judgment. The independent consultant could make recommendations which must be adopted by Defendant.
Whether it is government agencies, research facilities, banking institutions, credit card processing companies, hospitals or your company's computers - the risk of compromising private information is very high -- especially when when conducting a disaster recovery tests. Since business relies so heavily on technology today, business risk becomes technology dependent. The possibility of litigation is part of business. It has always been a risk of doing business, but because technology and today's business are so intertwined, business risk has a higher threat level. This has prompted many to encrypt workstations and mobile computers in order to protect critical business data
If you have rolled out encryption, how do you maintain your IT service quality when the hard disk drive fails? How do you plan and prepare for a data loss when the user's computer is encrypted? These are all issues that should be considered when putting together a data disaster plan. In addition, data recovery, one of the more common missing elements of a disaster recovery plan, should also be factored in because it can serve as the last ditch solution when all other options have been exhausted.
Potential Security Breach Impacts Business Continuity Plan
The processes driving comprehensive disaster recovery planning and security protection are both offensive and defensive. Initially, protections are seen as exclusively defensive - protect what you have rather than help drive business into the enterprise. In reality effective security is an enabler, much like the Internet and network capability, that facilitates a company's move to the better resource deployment and improved operational performance. As firms add the latest advanced mobile communications and computing technology, and expand on-line resources for both on-premises and remote workers, complete security is essential.
Regulations like Sarbanes-Oxley and ISO might seem to influence the actions of only public companies, but even private mid-size firms are well advised to establish and maintain compliance. After all, a firm may go public one day or, of more immediate concern, be an acquisition target.
Compliance with government reporting guidelines can also be a prerequisite for landing government contracts. In essence, the sooner a firm moves toward regulatory compliance, even if it is not an immediate necessity, the easier that transition will be compared to the future, when a company may be larger and more complex.
Protecting vital business data is a necessity. This is where investment in disaster recovery is critical and where different on-premises and off-premises solutions can be applied. Many firms do not always back up to remote locations. In fact, 45% indicate that while they do back up regularly, they still keep their data on-site rather than at a separate secure location.
There are three fundamental stakeholders in any comprehensive approach to IT infrastructure protection:
- Your own company that's being protected from potential internal and external threats
- Customers and partners who might suffer harm if their information falls into the wrong hands
- The government which establishes legal compliance requirements and other obligations that will guide the activities of you and all your competitors. The changing regulatory environment makes comprehensive data protection and disaster recovery essential. In some industries like financial services and health care, there are strict rules regarding how records are handled. Issues like legal discovery are also influencing data storage and retrieval practices
Disaster Recovery - Business Continuity - Security Template Bundle
We have just the download you need to create a world class plan and assure you leave no stone unturned. With these templates we walk you through the entire process, providing all the tools you need along the way. As an added benefit you can purchase an update service which keeps these templates abreast of the latest legislated and mandated requirements. All of our documents have been updated to comply with PCI-DSS, Sarbanes-Oxley, HIPAA, the ISO 27000 (formerly ISO 17799) series - 27001 & 27002, and PCI-DSS.
The Disaster Recovery / Business Continuity and Security Manual Template bundle comes in three versions - Standard, Premium, and Gold.