CAS technologies and Sarbanes-Oxley... 1475

  • Has anyone heard of or had experience with CAS storage technologies? If so, does this new category of technology meet your compliance requirements with regards to Sarbanes-Oxley? CAS is a new category of automated networked storage established to store large volumes of fixed content over extended periods of time. Unlike NAS that is designed to facilitate collaboration and file sharing or SAN that focuses on performance, CAS is specifically designed for fixed content which might have a significantly extended life-cycle compared to transactional data.
    Just looking to hear some of your experiences first hand…

  • If it is a business contingency tool (sounds like), then it does not have SOX implication. If you are using the tool for automated back-up and restoration, then it may have a SOX implication.

  • The new Content Addressed Storage (CAS) systems won’t be specifically named in SOX compliancy guidelines. However as part of the SOX 404 standards, the Information Technology area must adhere to best practices and sound security controls to protect the companies information resources. A company may or may not have SOX compliancy requirements.
    More specifically with CAS files, you would want the best practices in security to ensure sensitive financial records cannot be accessed or altered outside prescribed controls. As CAS based systems may be more suitable for long-term archiving of data, they may or may not SOX compliancy requirements (e.g., the latest financial results may be other storage systems). Still, it’s beneficial to look for indirect relationships and the always implement the best levels of security possible.

  • New data storage technologies or processes may or may not impact SOX compliance requirements. In short, regulations that may impact data storage and retention have common requirements:
    Generally, the requirements provide for tighter control of record retention and disposition:

    • Content must be retained for defined periods
    • Content cannot be modified
    • Content cannot be deleted
    • Must be accessible in a reasonable timeframe
      As long as these basic requirements are achieved to the extent appropriate for your business, the choice of the data storage technology employed is irrelevant. And as was previously noted in an earlier posting, Business Continuity (BC) is specifically not relevant for SOX compliance purposes.
      Hope this further helps,

Log in to reply