Print   RSS

Tips: The Low Profile, High Impact Risk To Enterprise Security

DriveSavers Data Recovery

December 03, 2012

Risk management is a must in today’s challenging environment of mounting digital attacks on vital corporate assets and the regulated data they are entrusted to protect. Most corporations have a dynamic layered security practice, which incorporates multiple security controls to protect this sensitive data. However there appears to be an undetected or unattended internal— data recovery — that appears to be an exception in an otherwise strong-layered security practice. Luckily, DriveSavers Data Recovery has provided a series of steps to help business close the security gap that can be caused by the data recovery process.

Step 1: Conduct Gap Analysis.

The first step is to determine if this security gap exists within the organization. The responses to the following questions will assist in determining that.

• When a user’s device or a storage system goes down, are the failed drives being sent to a data recovery vendor? Under what circumstances?
•  Is an incident report filed? Under what circumstances?
• Who chooses the data recovery vendor?
• Does the type of data to be recovered drive the vendor selection criterion?
• What is the current audit and assessment processes for data recovery vendors?
• Are the vendor’s security protocols vetted before engaging their services?

Step 2: Revise internal and external policies and procedures where needed.

If the gap exists in the organization, determine what internal policy, procedures, and practice need to be revised. The revised internal policies should be applied to all third party data recovery vendors who handle the organizations sensitive and regulated data. The contract modifications may be necessary for vendors to ensure they handle the corporation’s data at the same level the corporation handles its internal data.

• Internal policies and procedures, business continuity, disaster recovery, and incident response plans should address the use of data recovery service providers.
• Policies and guidelines should be established within the enterprise for vetting a data recovery service provider.
• Criteria for selecting data recovery vendors and the required supporting proof should be specified.

Step 3: Develop and operate enforcement mechanisms.

Revising the policy, procedures, and practices to mitigate the gap is the first step. The following are required to ensure that the new policy, procedures, and/or practices are followed:

• Define documented and repeatable business associate risk management processes to address drive failure, data loss and the use of third party recovery vendors.
• Conduct mandatory annual security reviews of data recovery service providers.
• Develop and deploy employee training and awareness programs to ensure sensitive and confidential data are protected throughout the data loss and data recovery process.
• Establish strong enforcement practices for failing to adhere to the organization’s policies.

Step 4: Modify contracts with third party vendors to align with internal changes.

Any internal changes to the policy and procedures regarding the use of third party data recovery vendors should be mirrored in contractual arrangements with high-risk third party vendors that handle the organizations sensitive and regulated data. In most cases, the vendor contract will have the necessary provisions but not call out the data recovery process. It is recommended that the criteria for selecting a data recovery vendor be used to amend these contracts.

Step 5: Ongoing monitoring of the third party data recovery vendors

Many companies have excellent vetting protocols outlined in their vendor risk management, business continuity and disaster recovery plans, but data recovery vendors may require some special consideration for ongoing monitoring. These performance-monitoring controls should include:

• Annual review of vendor’s audit reports and certification documents to verify they are up-to-date.
• Assurance that the vendor is compliant with industry-mandated data privacy/security guidelines (SOX, GLBA, PCI, PII, CA SBI386, CA AB 1950, MA 201 CRM 17.03, NIST SP 800.34 (Rev.1), HIPAA, etc.).
• Annual on-site quality assurance reviews.
• Periodic analysis of the vendor's financial condition.
• Assessments of compliance with contract terms.
• Testing the vendor's business contingency planning.
• Evaluating adequacy of the vendor's training to its employees.
• Periodic meetings with the vendor to review contract performance and operational issues.
• Anonymous testing of vendor’s service capabilities.

Given that there are no directives, standards, and best or reasonable practices, these steps can help to provide a roadmap for mitigating the potential risk of data recovery. The solution to this high impact risk requires policy and procedural changes only and is low in cost. It insures that the confidentiality, integrity, and availability of the corporation’s sensitive information are maintained during the data recovery process.

 Feedback   Submit Article