1

Governance, Risk & Compliance – ManagementCommitment; Building a GRC Aware Culture.

• Taveesak Saengthong, Thailand Country Manager, Hitachi Data Systems

© 2007 Hitachi Data Systems

Governance, Risk & Compliance - Management Commitment; Building a GRC Aware Culture

Taveesak SaengthongCountry ManagerHitachi Data Systems

3

Agenda

• GRC Challenges • GRC Enabler by Archiving • Lesson learn from world-class Archiving deployment

4

The Rise of Un-structured Data

• Office Files

– Documents, Spreadsheets, Presentations, Forms, Graphic Files

• Web Pages and Application Files

• Fee based content

– Movies, Music, IPTV, Games, Gambling, Education, Software downloads

• Social networking and content sharing

– On line dating, Networking, Work Spaces, Podcasts, and web casts

• Mapping

• Surveillance and Security camera images

• Medical Imaging

• Call Centre – Voice Transcription

• Check Processing

5

Retention Timeframes Are Getting Longer

Source: ESG

Retention timeframes by industry

Processing food

Manufacturing drugs

Manufacturing biologics

Life Science/Pharmaceutical

Records in original form

Medical records <18

Full life patient care

Health care HIPAA

Financial statements

Member registration

Trading account records

Financial services 17a-4

OSHA

Sarbanes - Oxley

Records

Records Original correspondence 4 years after financial audit

30 years from end of audit

End of account + 6 years

End-of-life of enterprise

3 years

Length of patient’s life + 2 years

From birth to 21 years

5 year minimum for all records

2 years after commercial release

3 years after distribution

5 years after manufacturing of product

1 2 3 4 5 10 15 20 25 50

6

Total Digital Archive Capacity, by Content Type – Worldwide (TB)

30,000,000

20052006 2007 2008 2009

2010

25,000,000

20,000,000

15,000,000

10,000,000

5,000,000

0

The Changing Forms of Data

E-mail

Database

Unstructured

7

Thailand Compliance : Computer Crime Acts

8

Seeing Red: The Business Challenge

Feb ’05 Bank of America incident: lost backup tapes - 1.2 million federal employees credit cards affected

June ’05 Morgan Stanley incident:misplaced backup tapes containing critical email records; plaintiff seeking $2.7B in damages and govt. investigating non-compliance

April ‘05 watershed case of Zubulake vs. UBS Warburg - Federal jury mandated that UBS pay $29.2 million in damages

Significance: Placed burden of producing electronic evidence on companies issued with discovery

Result: Companies must proactively prepare for electronic discovery

9

Recent enforcement fines for electronic records and email

• October 4: NASD fined Oppenheimer & Co $800,000– “failures to respond to regulatory requests for information; failures to report

timely and accurately, thousands for municipal securities transactions; and failure to retain business-related internal email”

• Sept 19: NASD fines three companies of MetLife $5,000,000– “for providing inaccurate and misleading information to NASD, allowing late

trading of mutual funds, failing to produce emails in a timely fashion”

• Sept 13; NYSE fines Wachovia Corp $800,000– “failing to provide for the review and/or retention of certain email

communications…”

• March 2006: NASD fines Diversified Investors $2,200,000

“Experts” lining up to sell consulting and solutions

10

Email Server Document Management General Accounting Web Applications

Optical JukeboxTape Library NAS RAID Array

A Typical Enterprise Archive Environment Independent Silos

SMTP CIFS NFS HTTP

Data creation

applications

Lack of Scalability

No Search Across

Disparate Storage

Systems

Search #1 Search #2 Search #3 Search #4

11

Home Grown Application

MedicalImaging

Content Archive Platform:How it Works

• Supports multiple applications & content types

• Embedded full-text indexing and search

• High-performance, scalable, and secure storage

File System(HDPS)

Document management

Email Server (HDPS )

Discovery Module

12

P

21May212036

May

Active, Object-Based Archiving

AuthenticationPolicy-based object management guarantees archived data is authentic, available and secureGuards against corruption/ tamperingUser selectable hash algorithms include SHA-1, 256, 384 or 512; MD5 and RIPEMD-160

0 1 1 0 0 1 1 0 0 1 0 11 1 1 0 1 1 0 1 1 1 0 00 0 1 1 0 0 0 1 0 0 0 1

A

X X X X X X X X X X X XX X X X X X X X X X X XX X X X X X X X X X X X

RetentionPrevents file deletion before retention period expiresCan be set explicitly or inheritedDeferred retention optionCan set a Retention Hold on any file

ProtectionSelf-configuring and self-healing with automated policy enforcement, failover and ongoing integrity checksEnsures specified number of replica copies are maintained to tolerate simultaneous points of failureCan be set to maintain 2 to 4 internal copies depending on value of data

ShreddingEnsures no trace of file is recoverable from disk after deletionComplies withUS DoD 5520-M spec.

ReplicationObject based: Bi-directional, one to many, many to oneFiles, metadata and policiesReplicate data to alternative locations

Duplicate EliminationFind and inspect duplicatesRemove duplicates, maintains integrity

At-rest Data EncryptionProtects content from being recovered from stolen media using patented “Secret Sharing” technologyTransparently encrypts all content, metadata, and search indexImplements a distributed key management solution

13

DiscoveryOptional Advanced Search Capability

Navigators provide drill down by key terms, file type, and retention

View additional file system and archive metadata

Search Result Set

Support for: • 370 File Formats• 77 Languages • Full-text, metadata

and system data indexing

Set/Release Retention Hold

Export Results

14

Case Study : National Archives & Record Service, Korea

• NARS is Central Records Management office of Korea Govt.– Policy making for Records Management in Govt Agencies– Manage valuable records of the nation and preserve them for future generation– http://www.archives.go.kr/

• Achievement (as of 2007)– Spread Organization : 41 Government Agencies– Quantitative Achievement:

• Capturing 281,410,000 records • on-line records of 10TB

– Qualitative Achievement :• Securing authenticity of electronic records• Maximizing access of records

15

ArC

IngestionData production applications process and send satellite images to ArC via HTTP

Processing Cluster70 applications augmenting original data

with additional analysis and metadata

Access via HTTP Gateway

Archivas data preservation

Access via NFS Gateway

AccessResearch community

Decision Criteria of NASA :

• Open file system interface

• Ease of scalability

• Data ingestion performance

72TB solution (36TB protected)The environment:

• 72TB archive

• ArC archives data from Aura's Ozone Monitoring Instrument (OMI), which monitors the ozone and other chemical components in the Earth’s atmosphere.

Case Study : NASA’s scientific data

ArC gives me lots of flexibility in how I configure my storage. I can drop the cluster in and scale it to large amounts of storage.”

– Curt TilmesNASA Goddard Space Flight Center

“

16

ArC

IngestionCellomics Imaging & Processing application

Access NFS Gateway

AccessResearchers

Decision Criteria :• Open gateways - ease of

integration• Ability to support multiple

applications• Scalability to very large

capacities

The environment:

• 12TB archive, growing to 62TB

• Generating very large files from two applications –Cellomics and Perkin Elmer “Hoygens” microscopy

24TB solution (12TB protected)

Case Study: MIT - Computational & Systems Biology (CSBi)

Archivas data preservation

IngestionPerkin ElmerMicroscope Imaging

Just ordered: 100TB expansion (50TB protected)

CIFS

ArC Tools

17

ArC

IngestionRadiology applications send medical images (CT-SCANS, PET-SCANS, MRIs) to ArC via SMB

Access SMB Gateway

AccessDoctors and RemoteHospitals

Decision Criteria :

• HIPAA regulatory compliance

AuthenticationRetentionSecurity

• Multiple application support using standard interfaces

• Competitive price

The environment:

• 5TB archive

• CTRC sees approx. 450 outpatients a day

• Generating very large files from a number of imaging modalities

• 100% per year archive growth rate anticipated5TB solution (2.5TB protected)

Our doctors are always tracking the size of tumors. A patient could generate between 125 and 500 Mbytes of data, and we have about 15TB of data online…With ArC nobody will be able to change a record and we’ll on the fly be able to print a record out as needed... (EMC) Centera was more costly and didn’t do what we needed.”

– Mike Luter, CTO Cancer Therapy Research Ctr.

“

Case Study: Cancer Therapy Research Center (CTRC)

Archivas data preservation

Thank You

18

Thank You

19

Governance, Risk & Compliance – ManagementCommitment; Building a GRC Aware Culture.

• Mr. Taveesak Saengthong, Thailand Country Manager, Hitachi Data Systems