Rethinking Compliance: Beyond Security to Business

VeeamUP
Volume # 03
Availability for the Modern Data Center: Business & IT Perspectives
Rethinking Compliance:
Beyond Security to Business Continuity
Enjoy reading,
Your VeeamUP editorial team
§01
Compliance in the new
threat landscape
Page 3
Compliance in the new
threat landscape
In a business world increasingly driven by mobile and social technologies, IT
departments face significant challenges to keep corporate data safe. Against this
background of rapidly evolving technology, they also have to ensure compliance with a
whole range of regulations (from Sarbanes-Oxley to HIPAA or PCIDSS) designed to keep
data protected and retrievable.
But compliance can’t simply be seen a box-ticking exercise; it’s a vital element of any
large IT organization’s activities. The potential financial damage of data loss is huge,
from hefty fines to serious impact on revenue. But the damage to the reputation of your
brand and your senior management team can be even bigger – and even harder to
repair. Against this background, the availability of the systems and data that keep your
business running is absolutely critical – downtime and data loss are unacceptable.
Demonstrating to regulatory bodies that you can limit the risk of suffering from
traditional criminal attacks such as SQL injections and Distributed Denial of Service
(DDoS) attacks is just the start. Advanced threats are growing in volume, sophistication
and persistence every day. Staying ahead of these threats – whether from bored kids,
foreign state-backed hacking teams, or highly motivated and well-organized criminal
gangs – is a monumental challenge. Alongside these external threats, the ever-present
danger of employee negligence or malfeasance adds further compliance risk.
In this constantly evolving threat landscape, even the best-protected organizations
will eventually suffer a failure. The question is: How do you accelerate and streamline
effective responses to criminal activity and ensure the availability of business-critical
systems when the inevitable happens?
Moving beyond security
Traditionally, compliance activities have focused on how to:
•
•
•
•
Protect: with perimeter defenses, anti-virus and anti-malware software
Detect: by monitoring access and data movement to identify attacks as they happen
Respond: by containing the damage, combating the threat and conducting forensic
investigations
Sustain: through risk assessments, policy reviews and periodic vulnerability checks
But a strategic approach to compliance needs to look beyond this protect-preventrespond model. In a world where data breaches are inevitable, security will only get you
so far. Compliance activities also need to encompass a rigorous approach to business
continuity, so that when the worst does happen, you know the systems that keep your
business operational will carry on running.
In this edition of VeeamUP we’ll look at why it’s essential to rethink how you approach
compliance, and we’ll offer some practical advice on how you can take compliance
beyond security in your own organization.
VeeamUP. Availability for the Modern Data Center: Business & IT Perspectives. Volume 03
Veeam Software
§02
Turning compliance into
competitive advantage
Page 5
Turning compliance
into competitive advantage
For many global enterprises, complying with legislative mandates is simply the first step.
Taking the next step by adopting ISO standards helps demonstrate a proactive approach
to risk mitigation through adherence to strict business continuity criteria. Accreditation
for rigorous ISO standards can offer a real competitive differentiator, providing the
increased credibility to help organizations enter new markets and increase their share of
existing markets by attracting new and larger customers.
Compliance with key ISO standards for data protection includes the implementation
of proactive business continuity management systems that can ensure key business
processes are resumed quickly in the event of a failure or disaster. By adopting these
standards, enterprises can prove to customers that robust systems are in place to keep
the business running, no matter what happens.
Audit-proof compliance
But to achieve accreditation and sustain it, organizations must be able to demonstrate
adherence with the expected standards in ISO audits. For ISO standards looking at
Business Continuity Management Systems, the ability to demonstrate the availability of
business-critical systems in the event of a failure is vital. Performing backups and putting
disaster recovery (DR) plans in place is essential, but if they’re not regularly tested, it can
be difficult to prove they’ll be recoverable if the worst does happen.
Compliance with the Sarbanes-Oxley Act is also essential, designed to protect investors
in the wake of high-profile accounting scandals is mandatory for publicly-listed
companies in the US. In recent years, however, it has become the de facto global
standard, representing a robust approach to ensuring electronic records and audit trails
are retained and auditable for long periods of time and recoverable after a disaster.
To make your systems audit-proof, whether for ISO or Sarbanes-Oxley accreditation,
continually testing DR systems and recoverability is essential. It’s also vital to document
the tested recovery times for key business systems and processes.
Your backup and recovery systems should provide a full audit trail and detailed test
logs that can be kept for as long as needed. They should also give you the ability to test
backup copies, recoverability and restore times in a sandbox environment, so you can
run tests at any time with no impact on your production environment.
VeeamUP. Availability for the Modern Data Center: Business & IT Perspectives. Volume 03
Veeam Software
§03
Rethinking
compliance
Page 7
Rethinking compliance
Enterprises tend to simply partner with data protection vendors on their compliance
programs. But compliance needs to be integrated with business continuity plans,
which means organizations must look beyond traditional security vendors to find
additional technology partners that can help ensure the data center and the business
services it support are always on.
Of course, the always-on data center is itself a key risk factor for compliance. As
networks become stretched through mobility and BYOD initiatives and pressure from
the business increases to deliver services 24/7, keeping data, applications and users
protected becomes even more challenging.
Against a background of rapidly changing advanced threats, it’s not a question
of whether a breach will occur, but rather when a breach will occur. And as new
technologies and threats continue to emerge, your defense posture and approach to
compliance must be able to adapt quickly to keep up with the pace of change.
Know, don’t hope
In a constantly shifting threat landscape, the classic defense model of prevention and
protection is inadequate. What’s needed is a clear plan that’s continually tested and
updated to ensure you’re always following the latest best practices and your business
continuity management is completely audit-proof.
Achieving compliance and gaining the ISO and Sarbanes-Oxley accreditations that
differentiate your business doesn’t simply require robust backup technology and
processes. It requires the ability to continually test the recoverability of your backups,
so you’re able to demonstrate with confidence that you can meet recovery time
objectives for critical applications.
With ongoing backup and recoverability testing you don’t need to hope your businesscritical services will keep running when a failure occurs – you’ll know they will.
Make accountability part of the plan
It’s all too easy for compliance accountability to fall across multiple business functions,
but a single point of overall accountability is essential for success. Once you’ve decided
to achieve ISO or Sarbanes-Oxley accreditation, it’s essential to designate a compliance
officer and compliance team to support your businesses continuity objectives.
Reporting to the CISO, the compliance team must have an unambiguous mandate to
constantly review compliance and ensure a rigorous adherence to the accreditation
framework.
Reporting to the CISO, the compliance team must have an unambiguous mandate to
constantly review compliance and ensure a rigorous adherence to the accreditation
framework.
VeeamUP. Availability for the Modern Data Center: Business & IT Perspectives. Volume 03
Veeam Software
§04
Solving the
compliance puzzle
Page 9
Solving the compliance puzzle
Security is only one piece of the compliance puzzle. To ensure full, readily auditable
compliance, organizations need additional support beyond that provided by vendors
of protection and prevention solutions. It’s vital to find a technology partner that can
support your organization when security solutions fail to protect business-critical
applications and data – and ensure ongoing availability for those services. Your business
continuity technology partner shouldn’t just provide backup and DR capabilities – it
should deliver thorough and continual testing of the recoverability of backups.
Veeam delivers business availability through advanced backup and replication and DR
technologies, offering high-speed recovery and verified protection to help organizations
take compliance beyond security – and enable the Always-On Business™. By helping
enable accreditations and meet audit requirements, as well as proactively identifying
ways to improve backup and DR processes, Veeam’s technology expertise can help you
increase brand credibility, align compliance activities with core business objectives, and
keep key business services up and running when disaster strikes.
Visit www.veeam.com to learn more.
VeeamUP. Availability for the Modern Data Center: Business & IT Perspectives. Volume 03
Veeam Software
If you’d like to learn more visit us at
www.veeam.com or call one of our offices
Global
Headquarters
Switzerland
USA - Columbus
USA - Phoenix
Canada
8800 Lyra Drive, Suite 350
Columbus, Ohio 43240
Phone: +1 678 353 2140
Fax: +1 614 675 9494
303 West Elliot Road, Suite 101
Tempe, AZ 85284
3773 Côte-Vertu Boulevard, Suite 210
Saint-Laurent, Québec
Argentina
Brazil
Mexico
Technical Support Phone:
+54 (115) 984 20 88
Technical Support Phone:
+55 (11) 3958 73 70
Technical Support Phone:
+52 (554) 741 14 93
Germany
Italy
13/15 rue Jean Jaurès,
92800 Puteaux, France
Phone: +33 1 75 61 27 40
Konrad-Zuse-Platz 8
81829 München
Phone: +49 89 207 042 800
Fax: +49 89 207 042 810
Piazzale Biancamano 8
Milan, 20121
Phone: +39 02 620 33 004
Fax: +39 02 62 03 4000
Technical Support Phone:
+33 (1) 70 61 83 74
Technical Support Phone:
+49 (892) 109 49 62
Technical Support Phone:
+39 (042) 604 75 05
Poland
Israel
Spain
Sweden
Ul. Domaniewska 39A, Wejście A,
02-672 Warszawa
Phone: +48 22 208 27 25
Fax: + 48 22 208 27 60
P.O 2148
Hamanofim St.
Ackerstein Towers (A)
Herzelia Pituach
Calle de la Ribera del Loira, 46
Madrid, 28042
Phone: +34 91 503 06 95
Frösundaviks Allé 15
SE-169 70, Solna,
Phone: +46 (0) 8655-2624
South Africa
United Kingdom
Technical Support Phone:
+34 (91) 182 97 60
Technical Support Phone:
+46 (10) 199 25 77
Ground Floor Twickenham Building, The
Campus
57 Sloane Street Cnr Main
Bryanston 2021,
Phone: +27 (0) 11 575 0208
The Annexe, Hurst Grove,
Sandford Lane, Winnersh
Berkshire RG10 0SQ,
Phone: +44 (0) 118 934 2982
Linden Park, Lindenstr. 16,
CH-6340 Baar
Phone: +41 41 766 71 31
Americas region
Main office
USA - Atlanta
2520 Northwinds Parkway
Suite 600
Alpharetta, GA 30009
Phone: +1 678 353 2140
Technical Support Phones:
US Toll-Free +1 (800) 774 51 24
US Toll-Free +1 (800) 913 19 40
United States +1 (614) 339 82 52
Technical Support Phone:
+1 (647) 694 09 22
EMEA region
Main office
France
Technical Support Phone:
+27 (10) 500 79 63
The Netherlands
Evert van de Beekstraat 310,
1118 CX, Schiphol Centrum,
Phone: +31 (0) 20 654 18 05
Fax: +31 (0) 20 654 1801
Technical Support Phone:
+31 (858) 88 06 55
Technical Support Phone:
+44 (845) 508 70 05
Asia Pacific Region
Main office
Australia
Office Building Address:
Level 4, 22 Darley Rd,
MANLY NSW 2095
Postal Address: PO Box 131
MANLY NSW 1655
Phones: +61 2 9191 7840,
+64 9 925 0456
Fax: +61 2 8088 6899
India
Singapore
#1356, 13th Flr, Platinum Tech Park ,
(Near Vashi Railway Station,
Sector 30)
Vashi, Navi Mumbai, 400705
Phone: +97 14 433 2150
152 Beach Rd #04-08 Gateway East
Singapore, 189721
Phone: + 65 6653 1543
Technical Support Phone:
000 800 100 87 69
Technical Support Phone:
+65 3158 22 39
Technical Support Phone:
+61 (2) 6108 4305
Technical Support Phones for other countries
Belgium +32 (78) 48 02 54
Denmark +45 (78) 77 54 76
Norway +47 (85) 40 43 85
Hong Kong +852 5808 28 70
New Zealand +64 (9) 974 95 94
Chile +56 (22) 570 86 84
Colombia +57 (1) 381 90 78
Saudi Arabia 800 814 66 59
UAE Toll-free 800 035 703954
Download PDF