Author Topic: 17A4 Compliance  (Read 2806 times)

jsquizz

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 573
    • View Profile
17A4 Compliance
« on: October 16, 2017, 10:43:08 AM »
Just wondering if anyone on here is using storage that is 17A4 compliant with CMOD, V10.1 of course.
#CMOD #DB2 #AFP2PDF #TSM #AIX #RHEL #AWS #AZURE #GCP #EVERYTHING

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 2228
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
Re: 17A4 Compliance
« Reply #1 on: October 16, 2017, 10:50:10 AM »
This is a complicated thing...  It requires WORM media, two years of "immediate" accessibility, and 6 year retention.  There are ways to get this with CMOD - using TSM with SSAM enabled and WORM tape, or through a home-grown solution that uses features disk based 'locking' to achieve the locking for a pre-set period of time, or preferably a combination of both.

This comes with operational issues -- you can't (properly) issue an 'arsadmin unload' command and expect it to work properly in the case that you have bad data that needs to be replaced.

-JD.
IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR

jsquizz

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 573
    • View Profile
Re: 17A4 Compliance
« Reply #2 on: October 16, 2017, 11:34:07 AM »
What would be a sample scenario involving 17A4 compliance.
#CMOD #DB2 #AFP2PDF #TSM #AIX #RHEL #AWS #AZURE #GCP #EVERYTHING

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 2228
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
Re: 17A4 Compliance
« Reply #3 on: October 17, 2017, 03:44:16 AM »
Scenario:  A customer requires 17A4 compliance.

Solution:  I build a 17A4 compliant solution by configuring CMOD properly with the correct hardware.  :)

But seriously, the scenario depends heavily on what software / hardware and budget are available.  A lot of people are moving off of tape because of the ongoing maintenance costs, and the ever-decreasing cost of disk.  The only thing that makes disk more expensive than tape nowadays is electricity -- keeping those disks spinning 24x7x365.

Tape is still an excellent solution if you can properly define the 'cutoff' where data isn't being accessed anymore (*ahem* RAPTOR4) -- because tape doesn't consume electricity when it's sitting on the shelf.

But all in all, a 17A4 compliant solution probably includes a bunch of 'locking' disk, specially configured to lock-on-write the data loaded into IBM CMOD, WORM tape backend, and TSM/SSAM providing access to it from Content Manager OnDemand.
IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR

jsquizz

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 573
    • View Profile
Re: 17A4 Compliance
« Reply #4 on: October 17, 2017, 05:13:39 AM »
Thanks Justin. Scoping out a new environment with the latest and greatest.

Looks like TSM is our best way to go.
#CMOD #DB2 #AFP2PDF #TSM #AIX #RHEL #AWS #AZURE #GCP #EVERYTHING

RHPharr

  • Jr. Member
  • **
  • Posts: 12
    • View Profile
Re: 17A4 Compliance
« Reply #5 on: May 22, 2018, 10:37:08 AM »
Is using some type of WORM storage for the docs enough for SEC 17a-4?  Doesn't the metadata also need to be immutable?  You couldn't really do a WORM tablespace so anyone with access to the DB could delete records.  And what about making all of the ars tables immutable?  Couldn't changes to the app, appgroup, or storage make the documents unretrievable.

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 2228
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
Re: 17A4 Compliance
« Reply #6 on: May 22, 2018, 12:51:04 PM »
It's almost like they want you to burn the stuff into a plate of steel with a laser...  which is kinda what optical platters were all about.  :)

As for the database...  I don't think anything will ever meet that criteria and still be functional. 

I'm all ears if anyone has any recommendations...

As far as I can tell, the closest you can get is a system with heavily restricted access, on which all activity is logged, using software that uses devices with Write-Once capability, which includes the metadata on the write-once tape -- in the form of monthly database backups.  You could prove the authenticity of data in a 'chain of custody' sort of way (proving the hashes / signatures haven't changed).  But it would be a brutal process to create that proof.

-JD.
IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR