There is nothing new about the need to assess, manage and store information according to its value. In every organisation, data that is mission-critical today may be of little value in a month and almost worthless in a year.
But for most businesses, it is becoming increasingly important to protect even this seemingly worthless data from accidental destruction and loss. Corporate governance regulations such as Sarbanes-Oxley, HIPAA and Basel II, and national data protection laws, for example, are forcing businesses to retain and store information for longer periods of time than has been necessary in the past.
Information lifecycle management (ILM) is a term that has been bandied about the IT industry for a number of years, but is now starting to come into its own as a system to manage and automate the storage of an organisation’s electronic data. ILM is a process in which information is stored according to its business value and is automatically transferred to progressively cheaper storage media as its value declines over time.
However, the implementation of an ILM strategy is not a simple process and is not a task that should be undertaken lightly. It is a long-term strategy to manage and store essential data and is likely to take some time to implement – experts predict it will take between three and five years to fully implement an ILM strategy in a business.
Additionally, those tasked with implementing such a system require an understanding of current data protection legislation and corporate governance requirements, as well as knowledge of current storage technology. Applying a value to information held by the business is also a difficult task and is one that should not be undertaken without due consideration.
Over the past few years governments have passed financial and medical regulations that dictate strict record keeping of auditable data and which ensures these records are stored for specific periods and under specific conditions. The regulations include :
• Sarbanes-Oxley – The Sarbanes-Oxley (SOX) Act came into force in 2002 in response to financial auditing scandals such as Enron and WorldCom. Designed to protect investors, SOX requires all publicly traded companies to produce a detailed information audit trail of all financial correspondence, including emails, reports and all other financial data. This data must be retained for seven years.
• HIPAA – The Health Insurance Portability and Accountability Act 1996 defines how the healthcare industry should securely handle patient data. It includes privacy policies for information, as well as retention policies for medical records. In general, patient records are to be retained for the life of the patient, plus two years, although this varies according to the type of patient record.
• Basel II – Basel II is an international initiative that requires financial services companies to have a more ‘risk sensitive’ framework for the assessment of regulatory capital. To comply, companies need IT systems that can capture, store and consolidate credit risk data to produce the reports in a controlled and auditable way. Credit-risk data must be retained for three to seven years, depending on the type of information.
Analysts agree that businesses should take a four-step approach when implementing an ILM strategy. The first step involves gaining an understanding of what data is being stored and where it is currently kept. This extend to emails stored in personal email folders and documents currently stored in archived folders. From there the data can be categorised according to business requirements – how often it is accessed and how quickly it might need to be retrieved.
The second step involves introducing tiers of storage. Experts believe three tiers is suitable for small enterprises, with four tiers for larger enterprises. New information, and that which is regularly updated, can be stored on expensive fibre channel disk systems where high performance, reliability and ease of recovery of data are the core information requirements.
Information that has served its purpose and which no longer requires access, but needs to be easily retrieved because of governance legislation, can be migrated to a cheaper form of storage, such as serial advanced technology architecture (SATA) disks. Tape can be used for data that needs to be retained but is unlikely to be accessed again and, finally, offline tape in a secure facility, most likely offsite, which can be reintroduced to a tape library if it needs to be recalled.
Once data has been categorised sufficiently, it then needs to be mapped to the appropriate data tier, the third step in the implementation of an ILM strategy. The final step is the automation of the ILM process, so that data is automatically moved between the different levels of archive storage.
One of the problems that has prevented ILM being accepted as a mainstream solution to a business’ data storage needs is that businesses have been frightened off by its complexity. However, recent research shows that UK businesses are starting to embrace the ILM process as an intrinsic part of their strategy and infrastructure.
The Information Lifecycle Management (ILM) Survey 2006, conducted by market analyst group Quocirca, found that in the last 12 months UK businesses have moved from the planning and implementation stages to fully incorporating ILM strategies as a core part of the business infrastructure.
Understanding of the existing data management environment was also found to have increased by about a third, and this surge in confidence has facilitated a 40% decrease in respondents seeing a need to improve their ability to manage data.
So, despite worries about its complexity and issues surrounding the length of time it can take to implement an ILM strategy, it appears that ILM is providing a number of UK businesses with a comprehensive ‘cradle-to-grave’ approach to data storage.