Creating Trustworthy Archives
The efficient and secure storage of business records is fundamental to the insurance industry. Since its conception, organisations and individuals providing insurance services have needed to retain critical records to ensure the successful operation of their business.
Today, this simple business imperative remains, but the introduction of government and industry regulations creates even greater pressure on organisations. Not only are they forced to retain specific business records but also they must be able to defend the authenticity of this information. Failure to do so can have very serious consequences in the form of fines and litigation, which can have devastating financial and political consequences. Recent, high visibility, court cases have graphically demonstrated just how damaging this can be to the wallet and reputation of an organisation.
As part of the financial services industry, insurance agencies are subject to regulation by the FSA and its industry specific agencies such as the IMRO, PIA, SIB, RPB, SRO and LAUTRO to name just a few. In addition, the retention of insurance records is subject to the guidelines defined in the COBS (Conduct of Business Sourcebook).
Depending on the records in question and their specific use, these agencies and guidelines typically require the retention of records for between three and seven years, and in some cases much longer. In practice, many of these firms retain records well beyond the regulation requirements.
The FSA acknowledges this reality in a recent report: “Market participants also say that it helps them with issues related to the Inland Revenue to store certain records electronically for longer than the minimum retention period. However, because it is not cost-effective to sift through records and retain some while discarding others, firms tend to keep all records beyond their minimum retention period. (FSA Handbook, Release 019, Annex C, May 2003)”
This situation has created a real dilemma for all financial services companies. On the one hand they’re being forced to securely retain more data for longer periods of time, yet on the other hand they’re expected to accomplish this with fewer people and smaller budgets. How can organisations respond effectively to this dilemma?
Solving this problem is not trivial since it involves several different, but interrelated concepts. An effective data archival storage strategy must meet regulation demands for retention, while being easy to manage, scalable and cost effective. It must be grounded in processes and procedures that establish and maintain the authenticity or “trustworthiness” of the archived records. This is made difficult since many electronic documents are dynamic and can be updated or altered during different stages of their life.
One proven approach is to establish a process-based “Chain of Trust” (Trustworthy Storage and Management of Electronic Records, Cohasset Associates, Inc., April 2003) that guides records throughout their life and clearly documents their authenticity. This Chain of Trust is comprised of both processes and products that work together to establish record trustworthiness. The primary components within the chain can be divided into four ‘links’:
- Record Management Application
- File Management
- Storage Management
- Storage Media
The File Management link oversees the logical read/write access to all records. This controls the deletion or overwriting of files, write verification and security / file encryption (as required). File Management software could be part of a Record Management Application, but is often a separate product(s) that operates between Record Management and the operating system to control records at a file level.
Storage Management is the physical recording of records and the management of the storage infrastructure. For example, when an electronic record is written to a storage device, the device may verify the accurate completion of the write operation and pass the verification back through the chain to the Record Management Application. This allows the application to accurately report on audit trail information. In addition to managing individual storage devices, the Storage Management link would also control the use of removable media libraries (optical and tape), which are commonly used in archival storage environments.
The last link in the chain is the actual storage media used to record the data in the records. There are several possible choices including magnetic disk, tape and optical storage media. Each of these technologies offers different performance, longevity and cost attributes. As with any link, choosing the correct media type will be critical to the overall strength of the chain.
Magnetic disk is the only real solution for active data sets since it provides the performance needed for interactive operations. However, as a long-term archival storage medium it doesn’t offer the stability of other media and can be very expensive for large configurations. Tape is most commonly used for backup and disaster recovery environments since it’s a high capacity, inexpensive removable media. Tape can be used for archives, but random access times are slow and it must be carefully maintained and rewritten to ensure data integrity.
By contrast, 5.25 inch optical storage technology has been designed specifically for long-term electronic archives. With a media life of more than 50 years, it is an extremely stable and cost effective technology. The fact the 5.25 inch optical solutions are available in both Rewritable and Write Once formats is another major strength within archive environments. Many organisations use Write Once optical as the final link in their Chain of Trust since it provides best-case audit trail accountability for storage records and meets or exceeds government and industry archival storage regulations.
Just like a physical chain, the Chain of Trust for record archives consists of multiple interrelated links of equal importance. One weak link in the chain can jeopardise the trustworthiness of all records. Since individual requirements vary dramatically, the design for a Chain of Trust must begin with a clear understanding of the exact regulations and corporate standards that need to be met. With this in hand, the individual links can be forged and data trustworthiness can be established.
The Cohasset White Paper on Trustworthy Storage referenced in the second footnote is available for download from the Plasmon website – http://www.plasmon.com