Go beyond SOX for business continuity

What you will learn from this tip: Achieving SOX compliance does not ensure business resilience or continuity. There are extra steps you should take to make sure that your business is protected.

As business continuity practitioners, we often hear from C-level managers that their organization is "in pretty good shape" from a business continuity or disaster recovery (DR) perspective, having just completed a Sarbanes-Oxley (SOX) compliance effort. After all, auditors evaluate the measures or controls in place to ensure transactional data is available if ever requested by a court of law. Many organizations depend on IT systems to access and store transactional data…in other words, data storage and backups.

The assumption that an organization is capable of business resumption because it has met SOX compliance requirements sometimes leads to a very unpleasant surprise following a major disaster. The SOX act was mostly designed to rebuild the investor community's confidence and protect them from negligent or fraudulent financial reporting by filers. The following are only some of the data storage and backup items not directly considered by auditors when reviewing IT controls (SOX, section 404). However, they are nonetheless essential elements of business continuity management (BCM):

Recovery time objective (RTO): Data protection alone does not ensure timely recovery. RTO for a given application is not an output of a regulatory compliance audit and data restore performance is not measured.

Recovery strategy: A SOX compliance audit offers little guidance as to whether

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance for the midmarket Compliance management: From virtualization to licensing agreements Healthcare compliance gets boost from national HHS privacy framework Data center virtualization: Four steps to compliance SaaS: Navigating the compliance minefield How to scope the liability clause in your software license agreement PCI compliance without costly consultants Software license agreements: Scope is key Compliance regulations: Understanding the dirty dozen IT audits: Five fearless strategies for survival PCI Data Security Standard compliance: Three steps to success Data storage for the midmarket Disaster recovery plans solve bare-metal recovery problem via VMware The price of data center outsourcing: Security, costs and more explored Data center virtualization: User best practices Firm moves from tape backup to managed backup and recovery service IRobot CIO dishes on virtualization, disaster recovery and compliance Leading iRobot's IT: Virtualization, disaster recovery and compliance Midmarket data center management guides: Tips and best practices Midmarket IT budgets hit by economic downturn Taking electronic records retention management to the next level Virtualization as a disaster recovery strategy? Compliance management for the midmarket From software prices to EHR security: The latest advice for CIOs Security and risk management in the midmarket A CIO's advice for implementing single sign-on solutions Compliance management: From virtualization to licensing agreements 2008 top 10 technology articles: Social media, Vista, IT salaries Healthcare compliance gets boost from national HHS privacy framework Taking electronic records retention management to the next level Data center virtualization: Four steps to compliance When Microsoft shuts you down and other IT horror stories MS software licensing, IT auditing tricky business

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

tape backups, disk-to-disk backups or data replication will best meet your business' and application's specific requirements.

Contingency plan: SOX compliance does not require an organization to have a comprehensive, well-rehearsed and maintained contingency plan(s). In fact, DR and BCP are specifically named as being outside the scope of SOX compliance requirements.

Dependencies and recovery priorities: SOX is not necessarily concerned that a licensing server must first be restored and operational before an application can come up or that the data network must be available for backup data to be restored. The order in which applications are recovered is of no relevance unless it affects specific controls over security, availability or integrity of transactional data.

Lost revenue: SOX is concerned with data being recoverable, but not the time involved. Revenue losses resulting from a lengthy recovery are not directly considered.

Just as regulatory compliance, BCP must become part of a solid risk management program. Compliance alone does not ensure recoverability. From a storage perspective, the choice of technology and performance is not regulated beyond certain data security and integrity aspects; we are responsible for the design of data storage and backup strategies that meet your business' requirements. It is up to you to clearly document the recovery priority and procedures.

In retrospect, we can assume that out of the numerous Gulf Coast businesses that will never reopen after Hurricane Katrina, some may have been SOX compliant.

About the author: Pierre Dorion is a certified business continuity professional for Mainland Information Systems Inc.

Rate this Tip To rate tips, you must be a member of SearchCIO-Midmarket.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.