The Imation® InfiniVault® not only delivers significant economic benefits through its information archiving abilities, it also meets multiple regulatory compliance requirements—a key consideration for today’s financial institutions. Sarbanes-Oxley, as well as the SEC 17a-4, SEC 17 CFR Part 240 and SEC 17 CFR Part 241 amendments to the Securities and Exchange Act of 1934, are just some of the regulations for which InfiniVault helps automate compliance by its end users.
INFORMATION STORAGE REQUIREMENTS FOR SOX
The Sarbanes-Oxley Act of 2002 (also known as the Public Company Accounting Reform and Investor Protection Act of 2002) is a federal law that sets standards for U.S. publicly traded company boards, management, and public accounting firms. Sarbanes-Oxley, or SOX as it is commonly known, has provisions that describe corporate governance rules and business operation controls.
While most of the SOX regulations relate to accounting practices and financial reporting, there are specific requirements regarding information storage. Because these requirements include prescribed retention periods for financial data, information archiving is particularly affected by these rules.
The elements of the SOX federal law that pertain to information—and how the Imation InfiniVault helps meet the requirements—are noted in the following table:
|
Requirement
|
Imation InfiniVault Solution
|
| Control of access to information |
Imation InfiniVault requires that authentication be established to allow authorized access to information contained within the InfiniVault archive. Passwords are required for identification and for access to administrative functions.
|
| Audit trail of access |
Imation InfiniVault keeps an audit trail log of every action taken on a file. The audit trail includes information about the ingestion, every subsequent access, the disk cartridges and locations where the file resides, and the retention period and actions performed. The audit trail provides a complete chain-of-custody for all financial records that are archived.
|
| Media protection - retention |
Ingested files are put into independent archives within Imation InfiniVault; within the archives, multiple folders may be configured. Each folder within an archive has a retention period setting. Files will be retained until that retention period expires; in the case of Sarbanes-Oxley, seven years.
|
| Media protection - integrity - protection from alteration or destruction |
Imation InfiniVault stores archived financial data in WORM (Write Once Read Many) mode, both in the Active Archive and on the RDX® removable disk cartridges. The hardware-enforced WORM on the disk cartridges ensures that data cannot be altered or deleted until the retention period has expired. Additionally, a hash algorithm is performed on the data to create a unique content address that is used to verify that no data has been changed during any transmission or storage operation. |
INFORMATION STORAGE REQUIREMENTS FOR SEC REGULATIONS
The Security and Exchange Act of 1934 has been the basis for protecting investors from fraudulent practices in the securities industry. One of the most stringent of its rules was enacted in 1997 through an amendment called 17a-4; this defined the requirements for electronic storage of records. Every SEC or NASD member, broker, and dealer must preserve records according to this regulation. Records are defined as all documents that may relate to the business, which includes email, reports, transaction logs, and other relevant business data.
Regulations such as SEC 17a-4, SEC 17 CFR Part 240 (Release 34-44227) and SEC 17 CFR Part 241 (Release 34-47806) cover specific requirements relating to storage of electronic records on storage systems. The specific issues involved in meeting these regulations for electronic storage of records—along with an explanation of how the Imation InfiniVault system helps meet the regulations—are noted in the following table:
| Requirement |
Imation InfiniVault Solution |
|
Electronic media to store records must preserve them in a non-rewritable, non-erasable format, such as WORM technology
|
Imation InfiniVault stores business records in WORM (Write Once Read Many) mode, both in the Active Archive and on the RDX® removable disk cartridges. The hardware-enforced WORM on the disk cartridges ensures that the data cannot be altered or deleted until the retention period has expired. Additionally, a hash algorithm is performed on the data to create a unique content address that is used to verify that no data has been changed during any transmission or storage operation. Upon retrieval, a new hash is calculated and compared to ensure integrity of the information.
|
|
The electronic storage media must automatically verify the quality and accuracy of the storage media recording process
|
Imation InfiniVault verifies that for every copy of information, every write operation to the media was completed successfully without error. |
|
The electronic records must be available for SEC review at all times for immediate and easy production
|
The records archived in Imation InfiniVault are accessible from the active archive, online removable disks, or offline removable disks. The active archive even provides persistent visibility to archived files that have been removed for offline storage
|
|
The electronic storage media must have the ability to readily download indexes and records
|
In addition to the availability of the records for access, a complete inventory of all files and their locations is maintained within Imation InfiniVault. The index may be viewed or retrieved at any time by authorized users
|
|
Records must be preserved for a prescribed period of time
|
Each folder within an archive has a retention period setting. Business records will be retained until that retention period expires.
|
|
Storage media system labels the storage unit in sequential order and records the date and time that information is electronically stored
|
Imation InfiniVault automatically makes protected copies that are uniquely serialized, and which may be removed for storage at remote locations. InfiniVault maintains a table that shows the sequential order of recording onto removable cartridges, and a record of the date and time that the information was written. Two copies are made by default, but up to four copies may be created.
|
|
An audit system must be in place for accountability regarding records required to be maintained and preserved. Attempts to alter or remove records must be recorded. A means must be provided to recover altered, damaged, or lost records.
|
Imation InfiniVault keeps an audit trail log of every action taken on a file. The audit trail includes information about the ingestion, every access subsequent, the disk cartridges and locations where the file resides, and the retention period and actions performed. Attempts to alter or delete information are also recorded in the audit trail. The audit trail provides a complete chain-of-custody for the information. Any damaged or lost records on a disk cartridge may be recovered from any of duplicate (mirrored) cartridges that were created. A vault may be defined to automatically create up to three additional copies.
|
SUMMARY
The SOX federal law represents a significant risk for public companies that do not comply; non-compliance with its regulations could result in both fines and imprisonment for up to 20 years. This should prompt serious deliberation at any companies that have yet to address their compliance obligations.
To satisfy SEC 17a-4, SEC 17 CFR Part 240 and SEC 17 CFR Part 241 rules, a storage system must comply with all elements of the regulations; failure to meet the requirement on even a single point results in non-compliance, and can lead to substantial penalties.
Imation InfiniVault provides a simple, easy-to-use solution to help comply with SOX and SEC electronic storage rules, while delivering significantly more cost-efficient data archiving. With the Imation InfiniVault, expense and complexity are no longer barriers to meeting today’s strict regulatory and legal requirements.