Which leads to the next question: what happens to the data once it has been stored? Who is going to look at it? And, equally important, who is not? Security is all about maintaining the confidentiality, integrity, and availability of information and proving non-repudiation. All the security technology in the world come to nothing if there is no way of controlling who can access the archives. And, with the increased need for reliable audit trails in mind, the enterprise also needs to prove who has, and hasn’t been viewing saved records and indeed, who has made copies.
Organisations need to address this issue from two angles: classifying the information, and identifying the user. Document management and identity management technologies are therefore two of the most crucial elements for any storage security policy. Most businesses underestimate how much data they produce: technology, especially email, has enabled unprecedented levels of duplication and filing anarchy. Unless a company has been exceptionally meticulous in its IT use there is usually little or no knowledge of what information has been created. Document management procedures will identify which records, files, and data need to be secured, and how long they need to be saved for.
Identifying and classifying the information involved is the first step to ensuring that only authorised personnel have access to it. The next is to allocate access privileges to individuals, based on who they are and the role they fulfil. User authentication, based on comprehensive identity management, therefore plays an essential role in keeping storage secure and will be able to provide the three As of any security measures: authentication, authorisation and audit. Furthermore, by making it easier to integrate data storage with desktop access, identity management assists the organisation to fulfil the first criteria of its security policy: making it user-friendly.
The final consideration for the storage policy is that it must be communicated to the user group. There’s no point in having a carefully drafted plan of action if no one knows about it. Education is essential, and is the responsibility of not just the IT or risk management team, but also business managers and HR. But with everyone involved, and an effective programme of communication in place an appropriate policy for secure storage will ensure that investments made in data encryption and the like will be maximised, and that an organisation need not fear a visit from the regulators.
Electronic data is now essential for modern business and information management, and security, policies form the instruction set by which it will be used. This in turn forms one of the key foundations for best practice business operations.