Lock down process, manage data throughout the lifecycle
Storage professionals should avoid retaining backup tapes longer than necessary. One organization kept data longer than required, leaving information vulnerable and ultimately resulting in a recent security breach. A plan for managing data and information from creation to deletion will ensure that only the information that is needed remains accessible. Information should be analyzed when itís created or received and then assigned an appropriate policy for management and deletion or retention.
In addition to taking the obvious step of not using manufacturersí default passwords for data storage access, organizations should also have a clear plan for changing passwords often and use separate IDs and passwords for each user. Also, storage professionals should ensure that they are choosing the correct storage option for their data. For example, data that does not need to be accessed often can be easily saved on tapes, rather than wasting space on more expensive disk-based storage options.
Access control is another basic security measure that should be in place within any organization. IT should implement granular control of who can access data and the applications that manage data, providing appropriate rights and permissions to various types of data.
While backing up to and securing tape is important, ďRecoverabilityĒ is even more critical. Organizations should consider a combination of disk and tape-based solutions to ensure the integrity of information. Disk-based solutions provide ease-of-use and recoverability, ultimately ensuring a more effective recovery strategy. Storage professionals should deploy the combination of disk and tape solutions that works best for their organizations and provides the benefits of both technologies.
Compliance Drives Concerns
By implementing these best practices, organizations can not only gain the trust of consumers by avoiding embarrassing and potentially damaging data and information losses, but also comply with industry regulations. All public companies are feeling greater regulatory pressure to improve information security because of the Sarbanes-Oxley Act, which includes control over data security as one of the audit criteria for proper corporate governance.
Additionally, laws such as the California Security Breach Information Act (SB-1386) have called more attention to the problem and increased consumer awareness surrounding identity theft and personal data protection. The California law requires organizations that maintain personal information about individuals to inform those individuals if the security of their information is compromised. The Act stipulates that if thereís a security breach of a database containing personal data, the responsible organization must notify each individual for whom it maintained information. The far-reaching law affects organizations outside California as it applies to anyone who might have a customer or conduct business with an entity within California. Additionally, 26 states now have laws similar to SB-1386.