CFTC 1.31(b) Compliance Assessment

Transcription

1 CFTC 1.31(b) Compliance Assessment Prepared by Cohasset Associates, Inc. Abstract Cohasset Associates, Inc. (Cohasset) prepared this technical report to provide an objective compliance assessment of the capabilities of the EMC Data Domain Retention Lock Compliance edition relative to the requirements and conditions of Commodity Futures Trading Commission ( CFTC or Commission ) Rule 1.31(b) (the Rule ). Cohasset s conclusion is that the EMC Data Domain Retention Lock Compliance edition, when installed, configured, and enabled on the EMC Data Domain system, meets the four storage-related requirements of CFTC Rule 1.31(b) addressed in this report. In summary, during the CFTC required retention period, it: Protects the records from being overwritten or erased for the required retention period through integrated records management controls and security protection; Provides for the initial and ongoing accuracy and quality of the records, as recorded, stored and retrieved; Cohasset Associates 7825 Washington Ave. South Suite 500 Minneapolis, MN Identifies each record and duplicate copy with a unique file name and date/time stamp; and Creates a duplicate copy of the record, which may be stored at a separate location and used for recovery, should the primary record be compromised May 2013 Guiding the Way to Successful Records & Information Management

2 Table of Contents 1. Introduction Electronic Storage Requirements of the CFTC Rule EMC Data Domain Retention Lock Compliance Edition Overview Assessment and Technical Report Compliance Assessment with SEC Rule 17a-4(f) Structure and Organization of Cohasset s Assessment Non-rewriteable, Non-erasable Format Verifies Automatically the Quality and Accuracy of the Recording Process Serializes the Original and Duplicate Units of Storage Media Store Separately a Duplicate Copy Conclusions...17 End Notes...18 About Cohasset Associates, Inc Table of Contents 2

3 1. Introduction This section sets the context for this technical assessment, which has been divided into two parts: Identification of the CFTC s regulatory foundation (as set forth in Rule 1.31(b)) for allowing digital records to be retained on electronic storage media and systems, and An introductory description of the storage system that is the subject of Cohasset s assessment against the above referenced CFTC electronic storage media and system regulation. 1.1 Electronic Storage Requirements of the CFTC Rule 1.31 On June 5, 1998, the Commission published a Federal Register Notice (63 FR 30668) proposing several amendments to the recordkeeping requirements of Commission Regulation 1.31, which would authorize a more generic, performance-based approach to the definition of permissible record storage technology, including both micrographic media and electronic storage media. In light of the significant number of Commission registrants that also are subject to the recordkeeping requirements of the Securities and Exchange Commission ( SEC ), the proposed amendments included many provisions similar to those adopted by the SEC in The Commission s final rule change for Regulation 1.31 was published in the Federal Register on May 27, 1999 and became effective on June 28, This Rule clearly states that entities under the regulatory jurisdiction of the CFTC are allowed to retain records on an electronic storage media or system subject to the requirements and conditions of the Rule. The following are relevant parts of the final regulation as published in the Federal Register: SUMMARY: The Commodity Futures Trading Commission is adopting amendments to the recordkeeping obligations established in Regulation Specifically, the amendments will allow recordkeepers to store most categories of required records on either micrographic or electronic storage media for the full five-year maintenance period, thereby harmonizing procedures for those firms regulated by both the Commission and the Securities and Exchange Commission. Introduction 3

4 Recordkeepers will have the flexibility necessary to maximize the cost reduction and time savings available from improved storage technology while continuing to provide Commission auditors and investigators with timely access to a reliable system of records. The Commission recognizes the important role improved technology can play in the continued development of the futures industry. Minimizing unnecessary regulatory obstacles to the adoption of improved technology is a goal of industry members, customers, and the Commission. Indeed, the pace of technological changes will require the Commission continually to review the standards articulated in this rule to ensure that the recordkeeping requirements reflect to the extent possible the reality of established technological innovation Books and records, keeping and inspection. * * * * * (b) Except as provided in paragraph (d) of this section, immediate reproductions on either micrographic media (as defined in paragraph (b)(1)(i) of this section) or electronic storage media (as defined in paragraph (b)(1)(ii) this section) may be kept in that form for the required time period under the conditions set forth in this paragraph (b). * * * * * (b)(1)(ii) The term electronic storage media means any digital storage medium or system that.... The detailed requirements of CFTC Rule 1.31(b) are very similar to, and in some cases essentially identical to, certain storage system related requirements as defined in SEC Rule 17a-4(f), including the requirement to Preserve the records exclusively in a non-rewritable, non-erasable format. Upon issuing the final Rule the Commission stated: In view of the significant number of firms subject to regulation under both the federal commodity and securities laws, the final regulations recognize the value of maintaining consistency, where possible, between the Commission s approach to recordkeeping and that of the SEC. The regulations do not reflect strict conformity with the regulations the SEC adopted in 1997, however, because the Commission concluded that there were significant differences between the commodities and securities industry that justified retaining certain of its current rules. Since issuing the Final Rule, the CFTC has not published any broad interpretation 1 or update. Introduction 4

5 On May 7, 2003, the SEC promulgated an Interpretive Release (No , Electronic Storage of Broker-Dealer Records) clarifying its requirements for the retention of records and explicitly allowing the use of erasable and rewriteable media, such as magnetic tape or magnetic disk, if control codes are employed as an integral part of such storage media and systems to ensure that records are protected from erasure or overwrite for the required retention period. Specifically, the 2003 SEC Interpretive Release states: A broker-dealer would not violate the requirement in paragraph (f)(2)(ii)(a) of the rule if it used an electronic storage system that prevents the overwriting, erasing or otherwise altering of a record during its required retention period through the use of integrated hardware and software control codes. To determine whether or not the SEC s interpretive release, including authorized use of erasable and rewritable media, may be applicable to the recordkeeping requirements of the CFTC, Cohasset reviewed the information published in the Federal Register for the CFTC s adoption of the amendments to the recordkeeping obligations established in Rule 1.3 in The following statements were incorporated in the Supplementary Information related to changes of the Rule: III. FINAL RULES F. Other Issues 5. Adjusting Requirements in Response to Technological Change The Commission has adequate tools to address short-term inefficiencies in the regulatory process. On several occasions during the past two years, the Commission has provided interim relief from the current requirements of Rule 1.31 to Commission registrants using advanced technology (44). In footnote (44), the Commission states: The Commission has permitted these registrants to substitute compliance with the SEC s recordkeeping requirements for compliance with the current requirements of Rule This footnote describes the CFTC s willingness to rely, where appropriate, on the SEC s rules and its history of granting permission to substitute compliance with the SEC s recordkeeping requirements for compliance with the requirements of Rule This suggests that it is reasonable to conclude that the CFTC would accept compliance with the SEC 2003 Interpretive Release to act as a complement to the Commission s rulemaking related to Rule 1.31(b). Introduction 5

6 As added credence to the acceptability of electronic storage media and systems that utilize integrated controls, but do not equate to a specific form of media, the following is stated in the Supplementary Information in the Federal Register for the CFTC s adoption of the amendments to Rule 1.3: II. NATURE OF THE PROPOSAL B. Proposed Rules Moreover, the Proposal gave recordkeepers increased flexibility in selecting the advanced technology best suited to their business requirements by substituting the less restrictive category electronic storage media for optical disk in describing the storage media recordkeepers could employ (7). As a result, recordkeepers may now take advantage of electronic storage technologies such as digital tape (8). In Footnote (8) the Commission clarifies that: The Proposal did not require Commission approval of plans to convert to a system that maintains records on electronic storage media. Recordkeepers, however, must submit a representation to the Commission that the selected electronic storage system meets the four generic requirements. As described in B. Proposed Rules (above), the Commission gives recordkeepers broader flexibility in selecting the electronic storage media or system and identifies a digital media, i.e., digital tape as an example, at that point in time, of a potentially acceptable technology. As expressed by Footnote (8) and paragraph (c) of Rule 1.31 (which follows), the registrant must provide a representation to the Commission prior to its initial use of an electronic storage media or system. When making this required representation to the Commission regarding the intent to use an electronic storage media or system, the registrant need only state when a storage media or system other than optical disk or CD-ROM technology is being used. There is no pre-deployment waiting period if non-optical media is used, such as that required by the SEC. 2 Specifically, paragraph (c) of Rule 1.31 states: Persons employing an electronic storage system shall provide a representation to the Commission prior to the initial use of the system. The representation shall be made by the person required to maintain the records, the storage system vendor, or another third party with appropriate expertise and shall state that the selected electronic storage system meets the requirements set forth in paragraph (b)(1)(ii) of this section. Persons employing an electronic storage system using media other than optical disk or CD-ROM technology shall so state. The representation shall be accompanied by the type of oath or affirmation described in 1.10(d)(4). Introduction 6

7 Cohasset believes that, based on these associated statements, the CFTC Rule manifests a similar, if not greater, level of comfort as the SEC (in its 2003 Interpretive Release) regarding the storage, retention and protection of records using all types of electronic storage technology as long as the technology meets the requirements and conditions of the Rule. The Rule also documents the CFTC s recognition that registrants would benefit from the use of evolving storage media and technology: The CFTC... recognizes the important role improved technology can play in the continued development of the futures industry. Minimizing unnecessary regulatory obstacles to the adoption of improved technology is a goal of industry members, customers, and the Commission. It is therefore Cohasset s belief that the CFTC would interpret the use of advances in digital storage media and systems technology (such as erasable magnetic storage using the integrated controls stipulated in the 2003 SEC Interpretive Release) as being compatible with the Commission s vision and intentions for Rule 1.31(b). 1.2 EMC Data Domain Retention Lock Compliance Edition Overview EMC offers EMC Data Domain Retention Lock software that can be applied to any Data Domain MTree (a logical volume in a virtual file system). When an MTree is enabled to support DD Retention Lock, a retention period can be set for individual record files that prevent the record file from being erased or overwritten before the retention period has expired. The DD Retention Lock software capability can be configured for only one of two possible retention management environments: Compliance Environment designed to meet the requirements of SEC Rule 17a-4(f), and thereby meet the requirements of CFTC Rule 1.31(b), and Governance Environment where certain administrative functions can be performed that are not CFTC-compliant. This assessment report focuses only on the Compliance edition of DD Retention Lock software. 1.3 Assessment and Technical Report To obtain an independent and objective assessment of the EMC Data Domain Retention Lock Compliance edition ( DD Retention Lock Compliance ) capabilities relative to meeting the requirements set forth in CFTC Rule 1.31(b), EMC ( EMC ) engaged Cohasset Associates, Inc. ( Cohasset ), a highly respected consulting firm with specific knowledge, recognized expertise, and Introduction 7

8 more than 40 years of experience regarding the legal, technical, and operational issues associated with the records management practices of registrants regulated by the CFTC. Additional information about Cohasset Associates is provided at the end of this report. Cohasset s assignment was to: Assess the ability of DD Retention Lock Compliance capabilities to meet the requirements of all the relevant conditions of CFTC Rule 1.31(b), and Prepare this technical report regarding that assessment. This assessment represents the professional opinion of Cohasset Associates and should not be construed as an endorsement or rejection by Cohasset of the DD Retention Lock Compliance and its capabilities or other EMC products. To conduct its assessment, Cohasset utilized four types of information provided by EMC relating to EMC Data Domain Retention Lock Compliance edition: 1) oral discussions, 2) system requirements documents, 3) user and administration guides, and 4) other directly related materials. This assessment covers only the four requirements stated in CFTC Rule 1.31(b) that relate directly to electronic storage media or system and the associated recording and retention management of regulated record files. Each registrant utilizing an electronic storage system must ensure that a combination of procedures, controls and client application capabilities (operating in conjunction with the storage management capabilities addressed in this assessment) meet all of the requirements of the Rule. The content and conclusions of this assessment are not intended and should not be construed as legal advice. Relevant laws and regulations are constantly evolving and legal advice must be tailored to the specific circumstances of the laws and regulations for each organization. Therefore, nothing stated herein should be substituted for the advice of competent legal counsel. Introduction 8

9 2. Compliance Assessment with SEC Rule 17a-4(f) This section presents Cohasset s assessment of the capabilities of the EMC Data Domain Retention Lock Compliance edition relative to meeting the requirements of the Rule that pertain to or are supported by the storage media or system. 2.1 Structure and Organization of Cohasset s Assessment Each assessment of the four relevant requirements of CFTC Rule 1.31(b) addressed in this report is structured into four parts: Compliance Requirement A citation and discussion of the requirement of the Rule that relates to the utilization of electronic storage media or systems; Compliance Assessment Cohasset s assessment of the degree to which EMC Data Domain Retention Lock Compliance edition capabilities (when installed, configured, and enabled on the Data Domain system) comply with the requirement of the Rule; DD Retention Lock Compliance Capabilities A description of the specific capabilities of DD Retention Lock Compliance that enables it to meet the requirement of the Rule; and Other Considerations Identification of actions (should there be any) that may need to be performed in order to support meeting the requirements of the Rule. Note: The term record is utilized in CFTC Rule 1.31 to describe all information content that must be retained under the Rule. Since this assessment deals with the capabilities of the DD Retention Lock Compliance relative to the Rule, Cohasset Associates has chosen to use the term record or record file (versus file ) in order to be consistent with CFTC terminology. Compliance Assessment 9

10 2.2 Non-rewriteable, Non-erasable Format Compliance Requirement 1.31(b)(1)(ii)(A) Preserves the records exclusively in a non-rewriteable, non-erasable format. This requirement is designed to ensure that the integrity of records stored on an electronic storage media or system are protected against erasure or overwrite for the required retention period, thereby allowing the records to be accurately retrieved and viewed or reproduced Compliance Assessment It is Cohasset Associates opinion that EMC Data Domain Retention Lock Compliance edition (when installed, configured, and enabled on a Data Domain system) provides strong capabilities for meeting this requirement of the Rule, provided certain capabilities discussed below are properly configured and applied by the registrant and that any conditions stated in subsection 2.2.4, Other Considerations, are met DD Retention Lock Compliance Capabilities The main features of DD Retention Lock Compliance that support meeting the non-rewritable and non-erasable requirement of the Rule are: The registrant must purchase and configure (on a Data Domain system) a unique DD Retention Lock Compliance software license which ensures that the compliance features of DD Retention Lock are activated. During administrative setup of the DD Retention Lock Compliance, one or more MTrees must be defined as being under Compliance control, thereby allowing retention management to be applied to recorded files. After an MTree has been configured with DD Retention Lock Compliance, it cannot be disabled or overridden. For a Managed Tree (MTree) that is Retention Lock Compliance software enabled, a record file can be placed under retention management control by setting a time-based 1 retention period (in the form of a retention expiration date). The retention period is set when the client application, e.g., an archiving application or file archiving application a) issues a file protocol instruction with an atime 2 attribute retention value that is set into the future (beyond current date/time) and b) where the retention period is greater than the Minimum defined retention period per MTree and less than the Maximum defined retention period per MTree. Compliance Assessment 10

11 The initial retention period value and any valid retention period extension value thereafter is extracted from the atime attribute and stored as a protected file directory entry that is retained for the same period of time as the associated record file. A Minimum and Maximum retention period for each MTree must be established during the administrative setup of the Retention Lock Compliance software on EMC Data Domain systems. This ensures that the initial retention period for a record file and any subsequent retention period extension is not set below the Minimum or above the Maximum. Once set, the Minimum and Maximum retention periods can only be extended (such as increasing the Maximum to accommodate a legal hold) but they cannot be reduced. The retention period is then managed as follows: Any retention period atime value that is less than or equal to current time and therefore not a valid retention period is ignored since it is assumed to be an update to the time last accessed value. Any retention period value that is less than the Minimum retention period or greater than the Maximum retention period per Managed Tree will result in an error condition being returned to the client application. The retention period for any record file may be extended by recording a new atime retention value for a record file that is later in time than the current retention period but not later in time than the Maximum retention period. If an attempt is made to delete a record file before the retention period has expired, the delete command is rejected and results in an error condition. If an attempt is made to delete an MTree that is Retention Lock Compliance software enabled and currently contains record files, then the delete command is rejected and results in an error condition. Once the retention period has expired, deletion of the record file may be performed by an authorized client application or administrator. The accuracy of the system clock on the Data Domain system configured and enabled with DD Retention Lock Compliance edition is critical for determining whether the retention expiration date of a record file has expired. Situations can occur, such as a power outage, maintenance downtime, etc., which may affect the accuracy of the system clock and require it to be adjusted or reset. Additional statistics are gathered, analyses are performed, and Compliance Assessment 11

12 certain restrictions are placed on ensuring the accuracy of the system clock to meet retention compliance requirements. The accuracy of the system clock and variations of the system clock with current actual time is regularly monitored. The system clock is only allowed to vary by a maximum of two weeks in a year. Should the system clock vary beyond the two-week maximum during a year, then the administrative Security Officer dual sign-on is required to reset the clock to current time. No logical access (via a software user interface) without a Security Officer s dual sign-on is allowed for maintenance or troubleshooting purposes, such as the scenario where the DD Retention Lock Compliance enabled Data Domain system experiences a system error or corruption. For the extreme scenario where the full Data Domain Operating System will not start up, the only means to start or restart the system is through single user access to the system, via a physical USB drive, which must be protected and available only with a Security Officer s authorization. An MTree that is configured with DD Retention Lock Compliance can store files that are not regulated as records under the Rule. Accordingly, no retention period is required to be set. Record files required to be compliant with the Rule as well as non-regulated files can be intermixed on the same DD Retention Lock Compliance enabled MTree on the Data Domain system Other Considerations The following actions should be undertaken to ensure the compliance features of the DD Retention Lock Compliance software are activated and configured to meet the requirements of the Rule: The registrant must purchase and configure the EMC Data Domain Retention Lock Compliance edition license on the EMC Data Domain system so that the features necessary to meet the requirements of the Rule will be applied. Where administrative functions require a dual or second sign-on, Cohasset Associates strongly recommends that the authorized second sign-on person be the equivalent of either a Chief Compliance Officer or a Chief Security Officer or their representative as designated in writing. Compliance Assessment 12

13 It is imperative that the registrant ensure that the client application (which is writing record files regulated under the Rule) sends the appropriate retention period for each regulated record file to ensure that the DD Retention Lock Compliance protection features are appropriately applied. 2.3 Verifies Automatically the Quality and Accuracy of the Recording Process Compliance Requirement 1.31(b)(1)(ii)(B) Verifies automatically the quality and accuracy of the storage media recording process. The intent of CFTC Rule 1.31(b)(1)(ii)(B) is to ensure the media recording process is accurate to a very high degree and, therefore, the recorded information is of the highest quality. The objective of this requirement of the Rule is to provide the utmost confidence that all records read from the storage media are precisely the same as those recorded Compliance Assessment Cohasset believes that DD Retention Lock Compliance when installed and configured on the Data Domain system provides exceptional capabilities for meeting the CFTC requirement to verify the accuracy and completeness of the recording process DD Retention Lock Compliance Capabilities The DD Retention Lock Compliance enabled Data Domain system employs a comprehensive Data Domain Data Invulnerability Architecture for enhanced data integrity and recoverability. The Data Invulnerability Architecture provides for end-to-end verification using the following capabilities: Immediate verification at the time of recording, Fault avoidance and containment, Continuous fault detection and correction, and File system and MTree recoverability. The capabilities of DD Retention Lock Compliance that directly support the verification of the quality and accuracy of the recording process are: Initial Recording Process DD Retention Lock Compliance provides an exceptionally strong capability for verifying quality and accuracy for each container of record file data that is written. As part of the recording process, an immediate read-back is performed and the accuracy of the recording Compliance Assessment 13

14 is verified before being accepted as error-free. This method goes beyond the minimum acceptable reliance on state-of-the-art magnetic disk recording error checking and detection/ correction capabilities. Post Recording Process Record file data is packaged and written in containers (multi-megabyte units). A strong checksum value is calculated from the data in each container and stored with that container. The write verification process involves reading back the data in the stored containers and verifying that the checksums are accurate. After the containers are verified, the files contained in them are verified by reading the metadata of the files and verifying that each segment of a file exists in the container identified by the metadata. During verification, if the checksum does not match for any container, RAID 6 5 is used to correct the errors and recover the container. If the container cannot be recovered using RAID 6, an alert is raised to the client application whereupon the administrative support personnel can recover the data from a replicated or duplicate copy. During read-back of a record file, whether by the client archiving application or by the Data Domain file system, the checksums are verified and, when errors are encountered, RAID 6 error correction is applied as required, thereby ensuring that the record remains complete and accurate. Periodic scrubbing of the record file data on the DD Retention Lock Compliance enabled Data Domain system is performed to find and correct any defects that may occur. This is particularly important for those record files that have not been read back for an extended period of time Other Considerations There are no other considerations related to this requirement. 2.4 Serializes the Original and Duplicate Units of Storage Media Compliance Requirement 1.31(b)(1)(ii)(C) Serializes the original and, if applicable, duplicate units of storage media and creates a time-date record for the required period of retention for the information placed on such electronic storage media. The intention of this requirement is to identify each record with a unique file name and to place it chronological in time with a time/date stamp, thereby making it easier to locate and download. Compliance Assessment 14

15 2.4.2 Compliance Assessment Cohasset believes that a DD Retention Lock Compliance enabled Data Domain system meets the CFTC requirement to serialize both the original record and each duplicate copy stored DD Retention Lock Compliance Capabilities The following capabilities of DD Retention Lock Compliance are designed to meet the requirement of the Rule. DD Retention Lock Compliance provides each record file with a unique identification which contains an exclusive file name and date/time stamp, thereby uniquely identifying each record file logically and chronologically. When record files (on the source EMC Data Domain system) managed under DD Retention Lock Compliance are replicated to another Data Domain system configured with DD Retention Lock Compliance, the unique file name and data/time stamp as well as all retention metadata attributes are duplicated Other Considerations There are no other considerations related to this requirement. 2.5 Store Separately a Duplicate Copy Compliance Requirement 1.31(b)(2)(iv) Store a duplicate of the record, in any medium acceptable under this regulation, at a location separate from the original for the period of time required for the maintenance of the original. The intent of this requirement is to create a duplicate copy of the records that will be stored in a meaningfully separate location thereby making the records accessible should the primary location or storage source be compromised, i.e., lost, damaged, or destroyed Compliance Assessment It is Cohasset s opinion that DD Retention Lock Compliance enabled EMC Data Domain system complies with this SEC requirement DD Retention Lock Compliance Capabilities DD Retention Lock Compliance provides for an MTree to be replicated to a second Data Domain MTree (that is configured and enabled with DD Retention Lock Compliance) at Compliance Assessment 15

16 a separate location, either locally or remotely. During replication, all record file data and integrated control code metadata, including the retention period and read-only attribute, are replicated to the second MTree. Should a major error occur that makes the original records or MTree inaccessible, then the record files can be recovered from the replicated record and MTree copy Other Considerations There are no other considerations related to this requirement. Compliance Assessment 16

17 3. Conclusions This technical assessment has addressed whether the capabilities of DD Retention Lock Compliance (enabled on an EMC Data Domain system) meet the four relevant requirements of CFTC Rule 1.31(b). Cohasset s opinion is that the EMC Data Domain Retention Lock Compliance edition: Meets the requirements of the Rule for preserving the records in a non-erasable, nonrewriteable format through the use of integrated control codes, retention management controls, and security capabilities. Meets the requirements of the Rule related to the automatic verification of the accuracy and quality of the recording process in that it employs a comprehensive Data Invulnerability Architecture that provides in-line verification for each container of record file data stored, and utilizes state-of-the-art error detection and RAID 6 technology to correct any errors detected during read-back and periodic scrubbing. Uniquely identifies and serializes each record and duplicate copy that is stored. Supports the storage of a compliant duplicate copy of each record at a separate location and provides the means to recover records from the duplicate copy. Cohasset Associates conclusion: EMC Data Domain Retention Lock Compliance edition, when configured and enabled on a Data Domain system, meets the four requirements of the CFTC Rule addressed in this report the requirements that are the system s direct responsibility for retaining and storing records in digital form pursuant to the conditions set forth in Rule 1.31(b), which expressly allows records to be retained on an electronic storage media or system. Conclusions 17

18 End Notes 1. While not having issued any broad interpretive releases or updates to the Rule, the CFTC has issued three interpretation letters related to the Rule based on specific requests from registrants planning to store records electronically. The letter, numbers and subject matters are: No , PDF Image; No , Storage of records as PDF files, and No , Maintaining required records in PDF format. The focus of these three requests and CFTC interpretation letters was the use of PDF format for retained records. None of the interpretation letters specifically addressed the electronic storage media or system. 2. The SEC Rule 17a-4(f) requires a 90-day notification (waiting) period prior to deploying technology other than optical media. 3. The atime attribute in standard file protocol instructions represents the time last accessed for a file. For DD Retention Lock Compliance enabled MTrees, this attribute is utilized to establish the retention expiration date for a record file. 4. DD Retention Lock software currently supports only time-based retention (i.e., retain for a specified period from the time after the file is recorded). Event-based retention (i.e., indefinite retention once the file is recorded until a specified event occurs, followed by a fixed, final retention period) is not currently supported. 5. Redundant Array of Independent Disks (RAID): A method for recording data to magnetic disk devices that provides for various levels of error correction and read or write performance improvements. RAID 6 employs striped disks with dual parity and combines four or more disks in a way that provides for correction of detected errors for up to as many as two full disk units of data during read-back. End Notes 18

19 About Cohasset Associates, Inc. Cohasset Associates, Inc. ( is one of the nation s foremost consulting firms specializing in records and information management. Now in its fourth decade of serving clients throughout the United States, Cohasset Associates provides award-winning professional services in three areas: management consulting, education and legal research. Management Consulting: The focus of Cohasset Associates consulting practice is improving the programs, processes and systems that manage document-based information. Cohasset works to provide its clients with cost-effective solutions that will both achieve their business objectives and meet their legal/regulatory responsibilities. This ranges from establishing effective corporate records management programs to planning state-of-the-art electronic records systems. Education: Cohasset Associates is renowned for its longstanding leadership in records management education. Today, Cohasset s educational work is centered on its annual National Conference for Managing Electronic Records (MER), which addresses the operational, technical and legal issues associated with managing the complete life cycle of electronic records ( The MER sessions also are available to anyone, anytime, anywhere via streaming video through RIM on Demand. ( Legal Research: Cohasset Associates is nationally respected for its leadership on records management legal issues from retention schedules to the use of alternative media to paper for storing document-based information. For more than twenty years, Cohasset Associates has been a thought leader in records and information management. Cohasset has been described as the only management consulting firm in its field with its feet in the trenches and its eye on the horizon. It is this blend of practical experience and a clear vision of the future that, combined with Cohasset Associates commitment to excellence, has resulted in Cohasset Associates extraordinary record of accomplishments and innovation. This technical assessment and the information contained in it are copyrighted and are the sole property of Cohasset Associates, Inc. Selective references to the information and text of this technical assessment are welcome, provided such references have appropriate attributions and citations. Permission is granted for in-office reproduction so long as the contents are not edited and the look and feel of the reproduction is retained. About Cohasset 19