What you will learn from this tip: Achieving SOX compliance does not ensure business resilience or continuity. There are extra steps
As business continuity practitioners, we often hear from C-level managers that their organization is "in pretty good shape" from a business continuity or disaster recovery (DR) perspective, having just completed a Sarbanes-Oxley (SOX) compliance effort. After all, auditors evaluate the measures or controls in place to ensure transactional data is available if ever requested by a court of law. Many organizations depend on IT systems to access and store transactional data ... in other words, data storage and backups.
The assumption that an organization is capable of business resumption because it has met SOX compliance requirements sometimes leads to a very unpleasant surprise following a major disaster. The SOX act was mostly designed to rebuild the investor community's confidence and protect them from negligent or fraudulent financial reporting by filers. The following are only some of the data storage and backup items not directly considered by auditors when reviewing IT controls (SOX, Section 404). However, they are nonetheless essential elements of business continuity management:
Recovery time objective (RTO): Data protection alone does not ensure timely recovery. RTO for a given application is not an output of a regulatory compliance audit and data restore performance is not measured.
Recovery strategy: A SOX compliance audit offers little guidance as to whether tape backups, disk-to-disk backups or data replication will best meet your business' and application's specific requirements.
Contingency plan: SOX compliance does not require an organization to have a comprehensive, well-rehearsed and maintained contingency plan(s). In fact, DR and BCP are specifically named as being outside the scope of SOX compliance requirements.
Dependencies and recovery priorities: SOX is not necessarily concerned that a licensing server must first be restored and operational before an application can come up or that the data network must be available for backup data to be restored. The order in which applications are recovered is of no relevance unless it affects specific controls over security, availability or integrity of transactional data.
Lost revenue: SOX is concerned with data being recoverable, but not the time involved. Revenue losses resulting from a lengthy recovery are not directly considered.
Just as regulatory compliance, BCP must become part of a solid risk management program. Compliance alone does not ensure recoverability. From a storage perspective, the choice of technology and performance is not regulated beyond certain data security and integrity aspects; we are responsible for the design of data storage and backup strategies that meet your business' requirements. It is up to you to clearly document the recovery priority and procedures.
In retrospect, we can assume that out of the numerous Gulf Coast businesses that will never reopen after Hurricane Katrina, some may have been SOX compliant.
Pierre Dorion is a certified business continuity professional for Mainland Information Systems Inc.
This was first published in November 2005