Doing Compliance The Wrong Way

ENN reported yesterday that “The Irish Times reports that Wicklow County Council has started to exam its 300 computers for references to the Whitestown illegal landfill, in order to comply with a request from the High Court”.

300 computers?  Does Wicklow County Council have that many file servers?  Nah, I’m just joking.  These guys obviously have no understanding of how to control over the desktop/laptop network so they’ve got a mess.  It could take them months to find related data; heck they might never live up to their obligations.

Here’s how they should have approached this:

  1. Desktops and laptops should be locked down with no local admin access for users.  Dodgy apps should be “shimmed”.
  2. Group policy should be employed to prevent access to the local drive on the laptop/PC.
  3. Use policy (either Group Policy or 3rd party) to disable use of removable media.  You don’t want people trying to bypass compliance systems by usin USB drives to store dodgy information.
  4. Forget roaming profiles.  Use Windows Server 2008 folder redirection to redirect all the possible storage locations you would need on a PC, e.g. My Documents, Application Data, etc, to the user’s home directory on a file server.
  5. Configure offline access for the user’s home directory.  That means My Document, etc, will be available to users when the file server isn’t, e.g. roaming laptop users.
  6. Set up a file server data retention system.  There’s lots of choices here.  If you’ve got a golden budget then something like a SAN based solution will work.  Normal backups don’t work – backing up a file once a day isn’t retention.  There’s a 24 hour window where data can exist and be deleted.  Maybe look at MS DPM, e.g. DPM-2-DPM-4-DR with a long retention period.  Or have a look at Iron Mountain LiveVault for incremental block level backups every 15 minutes.  With LiveVault there’s a almost certain change you’ll backup anything that ever gets near the file server and you can set up a retention period for your compliance requirements, e.g. 7 or 10 years.
  7. You’ll need to set up a compliance solution for your mail server too.  Like with file servers, a daily backup is not a retention system for compliance.  Mails easily come and go in a 24 hour window.  Again, there’s nice solutions from the likes of CommVault.  And there’s the DPM-2-DPM-4-DR and Iron Mountain LiveVault.

What’s the result?  If the High Court demands you search for files then it’s a lot easier.  You only have one or two places to search.  All you’ve got to do is search those locations.  Forget about searching PC’s because your users don’t have the rights to write there.

del.icio.us Tags: ,

Technorati Tags: ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.