Databases Reference
In-Depth Information
This chapter explains the problem of trustworthy retention of records and
outlines proposed solutions and open problems. Section 2 defines the trust-
worthy record retention problem and discusses the laws and regulations that
mandate trustworthy record retention. Section 3 discusses the threats to trust-
worthy record retention. Section 4 presents the current storage and deploy-
ment models for trustworthy storage, and Section 5 discusses ways in which
current records servers could be made more resilient against physical attack.
Sections 6, 7, and 8 discuss techniques used for trustworthy record index-
ing, migration, and deletion, respectively. Finally, we conclude with a general
discussion of open problems and issues in Section 9.
2 Problem Definition
Information subject to compliance regulations includes both structured records,
such as relational database entries; and semi-structured or unstructured
records, such as email, spreadsheets, reports, memos, and instant messages.
We use the terms
records
and
documents
interchangeably when referring to
semi-structured or unstructured collections of information.
Definition 1.
The goal of
trustworthy record retention
is to provide long-
term retention and eventual disposal of organizational records in such a man-
ner that no user can delete, hide, or tamper with any record during its reten-
tion period, nor recreate a record's content once it has been deleted.
Trustworthy records retention has become mandatory with the passing of
regulatory legislation all around the world. In the United States alone, there
are more than 10,000 regulations at the state and federal level that mandate
the secure management of such records. In this section, we briefly discuss these
laws and regulations.
In the United States, the Sarbanes-Oxley Act of 2002 requires public com-
panies to provide disclosure and accountability of their financial reporting,
subject to independent audits [30]. The Health Insurance Portability and Ac-
countability Act (HIPAA) requires trustworthy storage of medical records [3].
The Securities and Exchange Commission (SEC) rule 17a-4 requires traders,
brokers, and financial companies to maintain their business records, transac-
tions, and communications for a number of years [38]. The Gramm-Leach-
Bliley Act of 1999 mandates that financial institutions must have a policy to
protect information from any foreseeable threats in integrity and data secu-
rity [29]. There are also state laws mandating the accountability of financial
institutions when breach of financial records occurs [48].
Other well-known US legislation that mandates trustworthy records reten-
tion includes the Federal Information Security Management Act [31], which
regulates information systems used by the Federal government and aliated
parties, requiring yearly audits, risk assessments, certification, and continuous
