Some data protection challenges—such as business continuity and disaster recovery—remain familiar, but still require attention. Other challenges—such as data privacy issues within data security, new compliance demands, and management of information for civil litigation purposes (i.e., eDiscovery)—are clamoring for new attention. All in all, data protection (using a broad definition of the term) requires a strengthened commitment. Failure to do so can lead to the risks associated with having gaps in data protection coverage. For example, not protecting Personally Identifiable Information (PII) properly could be costly as well as generate unfavorable publicity.
The focus shouldn’t be about attacking individual data protection problems in a piecemeal fashion, but rather assembling a comprehensive data protection program that continues to demonstrate the leadership role of a mainframe organization in an overall information technology organizational structure. That program should provide a coherent, consistent, coordinated, and complete approach to data protection. Such an approach ensures there are no holes in data protection coverage and is more robust, resilient (mandatory in any mainframe environment), scalable, manageable, and cost-effective.
Building a comprehensive data protection program requires several building blocks, including:
- An information-centric focus: Look at what actions must occur on each application data set to fully protect it for all aspects of data protection.
- A Governance, Risk management, and Compliance (GRC) framework: Although risk management is part of all data protection, a broader framework that also encompasses two other key enterprise responsibilities—governance and compliance—is necessary to ensure all data protection needs are addressed.
- An understanding of data protection objectives: Data protection coverage won’t be complete unless all data protection objectives are met.
- A data governance program: A strong data governance program helps ensure the right programs and activities are in place for data protection.
Different application data sets can have different Service Level Agreement (SLA) requirements, such as:
- Recovery Time Objective (RTO), which is the time to get an application back working after a downtime event occurs
- Recovery Point Objective (RPO), which is the maximum amount of data that might be permanently lost.
Defining specific requirements for the other aspects of data protection, such as compliance, data security, and eDiscovery, is an extension of this approach, though they may not show up as part of an SLA. This information-centric focus enables attention to be focused on all the data protection needs for a piece of data. Important details can be covered. Data preservation, a key data protection objective, ensures data is consistent, accurate, and complete; it supports business continuity and disaster recovery. When a production application needs to recover data, that data must be usable. If the data is also necessary to meet compliance regulations, it must be authentic. That means the data must follow chain of custody procedures and support auditing to verify authenticity. Compliance puts additional constraints on the data preservation process that weren’t necessary for business continuity and disaster recovery alone. That means additional work must be done data set by data set (although the approach to doing the chain of custody work may be a general one).
The GRC Framework
Data protection may be only a component or subset of some common terms such as business continuity, disaster recovery, data security, data privacy, compliance and eDiscovery, yet it’s at the core of each. When the IT department is involved, it’s all about the data. If the data is permanently lost or unacceptably corrupted, the application functions that use the data can’t do their job.
What do disaster recovery and compliance have in common? Financial records that are needed for regulatory compliance must be able to be properly restored after a disaster. However, the bigger answer is that they must fit into the GRC framework, which represents three of the principal responsibilities of any enterprise.
Among other things, governance is about ensuring accountability for the conduct of an enterprise’s business. From a data protection perspective, governance is frequently associated with finding and making available relevant Electronically Stored Information (ESI). Risk management is a structured process to manage risk; within that, data protection tries to prevent or minimize negative impacts to business processes. Compliance includes conforming to and acquiescing to requirements from a third party and that includes ESI. Together, the three pillars cover all areas of data protection.