Compliance, Manipulation and Auditing: The Federal Requirements for Data Management Software

No matter where one works anymore (public or private sector), the line between what data organizations should keep classified and what data they should expose or make public is becoming more convoluted. Laws like the Freedom of Information Act coupled with recent changes to the Federal Rules of Civil Procedure (FRCP) are forcing organizations to re-evaluate their data management practices so they can differentiate between what data they should keep private versus what data they should expose or make available to comply with these acts. However to meet the specifications of these laws requires data management software that easily gives companies the flexibility to access and manipulate their data to meet these new requirements.

Recently I had a chance to chat with John Chirhart, an InfoReliance consultant to the federal government, about the burden that complying with these laws is putting upon US agencies. In his role, Chirhart acts as an advisor to federal departments that manage classified information and provides them guidance as to how to manage their environment so they can access and manipulate this data so it complies with existing federal rules and regulations.

The challenge that he sees these agencies facing right now in managing their data is two-fold:

1. Auditing their data management procedures and the data that they release (or do not release) to ensure that they are in compliance with existing laws and can justify the actions they took
2. Reconstructing what the data in their environment looked like at a specific, past point in time.

The need to audit how data is managed - from what data is released or withheld, who has access to it, when it released, when it is deleted, how the software is managed and who has access to and manages the audit logs - is paramount in federal agencies. Auditors will sit down with customers and ask them to provide them this type of information surrounding their data management practices. These auditors will ask these agencies to demonstrate that certain software patches were applied, when they were applied, how frequently backups were done, if they completed successfully and if the backup logs support these claims. The auditor will also expect these agencies to prove that none of the information that they share with the auditor has been tampered with in any way.

The other challenge that these agencies face is establishing what data they had at their environment at some point in the past. An agency may discover that a data breach did occur at some point in the past. If that occurs, they need to try to establish when exactly that data breach occurred, what data existed in their environment at the time of the breach and who had access to it so they can determine the scope of the risk.

• Chirhart has worked with a number of data management products over the years to help his federal clients resolve these types of problems. But now he almost unilaterally recommends the CommVault® Simpana® software suite to his clients as a means to address these new types of data management issues.
• From forensics and archiving standpoints, he has found that CommVault preserves data in a manner that withstands the scrutiny of auditors and, even when it deletes data, it keeps a log of deleted data while preserving the data in the log so that it meets the auditors' standards.
• Because of how CommVault indexes data, CommVault users can access and manipulate data regardless of which data store it resides in (archive, backup or production). It will only access the data that is needed for the request and not return too much data since the search results will only display what the user is authorized by access which enables companies to satisfy the different laws and regulations to which they are subject.

Since CommVault does end-to-end data management, CommVault can restore data to specific past points in time on different hardware. This helps his clients easily restore data to existing hardware and establish what data may have been at risk should it be determined a data breach occurred.

Audits, disaster recoveries and legal e-discoveries are now part of the world in which we live and no organization (private or public) is immune from them. Chirhart sees that while the ways different organizations may need to comply, the similar manner in which companies must manipulate and manage their data are now, in essence, almost universal and he sees the CommVault Simpana software suite as being a great way for companies to address these needs. "The legal department should be the biggest advocate or champion within any company for this product," says Chirhart. With a few more consultants like Chirhart speaking their mind, it may not be long before that occurs.