WORM Compliance at Work

Published On November 27, 2018

Vendors create WORM-compliant storage technologies (Write-Once, Read-Many) so that organizations can write (save) data to the media indefinitely. Where WORM compliance is critical, companies naturally prefer WORM media so that data can live and remain available for many years without risk to its integrity. Once the data is written, organizations can read it many times throughout the life of the media.

WORM media’s write-once capability marries the data to the technology permanently so that it is preserved in its original state, impossible to manipulate, rewrite, overwrite or erase. WORM media come in several formats, including tape, disk, optical disk and the cloud. Vendors enable write-once capabilities for WORM media using write protection, a feature of the hardware or software, which makes it impossible to write to the storage technology again.

WORM media are essential to organizations’ endeavors to meet the CIA triad guideline for information security. The CIA triad — confidentiality, integrity and availability — dictates the manner in which organizations must maintain data. WORM storage offers native protection for data integrity and availability. The longer the WORM media’s life span, the longer organizations can access the information.

Some WORM media can last 10 to 20 years or longer, depending on the media type. An organization’s maintenance and frequency of its use of the media affect the media’s life span and thereby the data’s availability.

With strong encryption — commonly available with WORM-compliant storage — organizations can complete the CIA triad, ensuring data confidentiality. Companies can encrypt data in transit to WORM storage media or at rest on the media to secure data against exposure and theft.

Key industries count on WORM-compliant storage to meet industry and regulatory standards. In the finance industry, for example, securities exchanges must use WORM-compliant storage media to meet the requirements of Securities and Exchange Commission rule 17a-4. The rule requires a write-once, non-erasable format to prevent changes and deletion of electronic records; the industry uses WORM media to meet these requirements.

The health care industry counts on WORM-compliant storage to meet data-retention time requirements. While HIPAA defers to the states for medical-record retention laws and policies, it requires participants in the health care industry to retain all other documents related to HIPAA for at least six years, according to CFR §164.316(b)(1). WORM storage retains data long enough and prevents its corruption.

Companies that accept credit cards adhere to the PCI-DSS standard. The PCI-DSS requires that organizations protect credit card data against tampering. These companies use WORM-compliant storage to store and safeguard personally identifiable information (PII) and financial information associated with credit cards against loss and alteration.

WORM storage can prevent data loss and damage as well as regulatory fines and brand damage in industries that recommend or demand that the technology meet security and privacy mandates. The finance industry fines securities exchanges and brokerages in incidents when they did not use WORM storage appropriately.

WORM storage technology is an excellent option for incorruptible data backup for organizations that need to restore data in response to a ransomware attack. WORM media comes in formats that guard copyrighted information. Companies also use WORM storage to archive data for e-discovery. There are many other applications of WORM media.

Write-once technology lets organizations reuse and preserve valuable data over extended periods. WORM compliance is the industry’s best investment in the health and accessibility of its most precious information resources.