By Mike Talon
In the wake of the Enron scandal, concerns about fraud became a major issue. Consumer outcry forced the U.S. government to leap into action and pass the Sarbanes-Oxley Act, which is designed to make sure that CEOs, CFOs, and other corporate executives don't defraud stockholders and the economy at large. Incidentally, this issue has a lot to do with disaster recovery.
The general idea behind the Sarbanes-Oxley Act is that each public company—and some others—must file certain audit reports on a regular schedule. These reports are bound by very strict regulations and must be filed in their completion, or the officers of the company are personally held liable.
False information within the reports can lead to enormous monetary fines and/or jail time, even if the officers didn't fill out the forms themselves. This means one thing to the technical staff: Don't lose any necessary data or someone could go to jail.
Organizations that want to properly protect their data will have to totally rethink a lot of corporate data systems. Prior to this point, determining the level of importance of most corporate data was difficult at best, as business units and executives squabbled over the budget requirements for various levels of DR protection.
The Sarbanes-Oxley Act has changed that for at least a portion of the data—specifically, the data that's required to complete the audits. With vital data, there's no longer a debate that the budget must be freed up to allow for the proper and complete protection of the audit-required data. This consists mostly of financial information, but it also includes some other business reporting. Visit the Sarbanes-Oxley Web page for a complete overview of the Act and its requirements.
DR communities must find ways to properly protect this information, from tape backups to real-time data replication. Your level of protection will be mainly determined by where your company falls in the spectrum of the Act's regulations. However, keep in mind that many requirements will change with time, because the Act uses a "phased-in" approach that's dependent on your company's size and revenue.
In short, this business regulation requires your IT staff to reevaluate your current and future DR solutions. If you're a part of the IT staff, use it as a springboard for getting budget approval to implement adequate protection. Keeping the CEO out of jail has always been one of the more pressing concerns of mid- to large-sized businesses, but now IT has a responsibility to join in that concern.
Mike Talon is an IT consultant and freelance journalist who has worked for both traditional businesses and dot-com startups.