Protecting the confidentiality, integrity and availability of information assets should be a convergence endeavor. The Information Lifecycle Management (ILM) strategy ensures protection and enables compliance with both information and physical requirements of existing laws, rules and regulations.
The Storage Network Industry Association ( SNIA ) defines ILM as the policies, processes, practices, services and tools used to align the business value of information with the most appropriate and cost-effective infrastructure — from the time information is created through its final disposition. While ILM has its roots in the storage industry, approaching compliance from an ILM perspective enables the convergence of areas such as information classification policy with incident response processes, and physical access control services with audit log management tools.
Information has always followed a lifecycle; organizations have always used document management, content management and records management methods, all of which are functions inherent to ILM. Documents have business value, physical records must be warehoused and content is retained and/or disposed. SNIA makes sure security convergence is inherent to ILM through the work of publications such as its Security Technical Work Group's (TWG) Storage Security Best Current Practices (BCPs).
In this document, SNIA 's Security TWG addresses the "convergence of the storage, networking, and security disciplines, technologies, and methodologies for the purpose of protecting and securing information assets." It presents the BCPs as the means to a holistic approach for organizations to secure their storage systems and/or ecosystems. " SNIA also sponsors security forums such as the Storage Security Industry Forum ( SSIF ) that promote collaboration between members, volunteers and other groups. The resources they produce, such as the SSIF Risk Assessment Toolkit, the Cryptographic Use Cases and the Rationale for End-to-End Security tutorial, provide the perspective for organizations to have converged security and achieve compliance.
SNIA counts on its 10 years in existence and a membership that includes major vendors to bolster its credibility and promote the adoption of its standards. Nonetheless, the association's standing has been recently counterbalanced by criticism of its leadership and membership structure, which skews voting power toward larger vendors — those with the largest membership fees.
Coincidentally, it is these larger members that, in an effort to distinguish their offerings from the competition's, increase market share, introduce non-standard terminology (e.g. , Intelligent Information Management). Beyond SNIA, vendor definitions, processes, practices and services have become even more divergent: ILM is now synonymous with DLM (D referring to data). In acknowledgment to the importance — and (marketability?) — of security, data becomes protected, yielding PDLM.
Inconsistency prevails outside the vendor realm as well. The British Computer Society (BCS), a chartered organization with a membership 60,000-strong across 100 countries, uses Intelligent Infrastructure Management (IIM). The Government of Canada defines information lifecycle in its Framework for the Management of Information (FMI) as "the steps that information passes through in the course of conducting business activities: collect/create/receive/capture, organize, use/disseminate, maintain/preserve, disposition."
Issues such as these increase the challenge security groups face in pursuing an ILM-based security strategy; nonetheless, the case for ILM as a catalyst for convergence and compliance is strong; stronger when considering the quantitative risk of non-compliance with laws, regulations and rules, and the significant investment of resources necessary to implement the supporting organizational change.
Even partial adoption of unified security policies, processes, practices and services will yield improvement. Leveraging ILM for security convergence will yield the true benefit: Protection of information assets. With security in place, compliance will follow.
Resources:
www.snia.org/forums/ssif/programs/best_practices/SNIA-Security-BCPs-2.0.Final.070927.pdf
www.snia.org/forums/ssif/programs/end_user_programs/forums/ssif/knowledge_center/toolkits
www.snia.org/education/tutorials/2007/fall/security/LarryHofer_Cryptographic_Use_Cases.pdf
www.tbs-sct.gc.ca/fmi-cgi/index_e.asp
Miki Calero, CISM, PMP, is CSO for the City of Columbus, Ohio . He is an associate member of the Security Executive Council and a frequent speaker and writer on security subjects. For information about the Security Executive Council, visit www.SecurityExecutiveCouncil.com/?sourceCode=access =std.
