Data Recovery: Your Security Checklist
Disaster strikes when you least expect it. That’s why any IT plan worth its salt must ensure that data is secured while it’s being recovered—not just during backups.
53% of organizations can tolerate less than an hour of downtime before experiencing significant revenue loss or other adverse business impact. — “ESG Research Review, Data Protection Survey,” Enterprise Strategy Group, April 2010
Your customers expect your organization to protect their sensitive personal information. And rightly so. In the wrong hands, their Social Security numbers, credit card numbers or other financial information could open the door to identity theft and its ensuing nightmares.
But your customers aren’t the only ones who stand to lose in the event of a data breach. At the very least, the loss or theft of data can generate bad press, and at worst it can cost you revenue, regulatory fines and associated legal fees. Your brand may take a permanent hit as your customers flee and your lawyers find themselves tied up in years of depositions and litigation.
That’s why it’s essential for businesses—large or small—to be able to not only recover from an incident, but also to ensure that their customer information is secure during data recovery efforts. This security checklist can help.
There Oughta Be a Law (and There Is)
In many types and categories of business, regulations govern data security practices. On the federal level, the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPPA) require financial and healthcare providers to secure customers’ personal information. In some cases, the business partners of these companies—even those not in finance or healthcare—must also comply with these regulations.
In addition to these federal protections, many state laws require small businesses to implement safeguards against the disclosure or misuse of personal information.
Key Steps to Data Recovery Security
It’s wise to keep up with legal mandates, as part of an overall security program that includes these steps:
1. Document your data recovery security policy. This is particularly important if your data center is storing terabytes’ worth of sensitive personal customer information that you may be compelled to retain for auditing and compliance purposes.
2. Keep backup tapes secure. Data archived at offsite locations is equally subject to your established data recovery and security (and privacy) policies. Partnering with an offsite backup tape storage partner can be a great way to keep your data protected. However, transporting your data to and from a storage facility presents risks if your partner can’t vouch for the integrity of your data from point A to point B. By requiring your offsite tape storage partner to use a traceable chain of custody while your backup tapes are in transit will allow you to verify the security of your data during a simulated run-through or authentic live disaster recovery event.
3. Keep strict control over your data recovery and backups. Your data recovery security system should let you create specific roles and levels of authority for each individual handling the data. This way, you can isolate sensitive data, such as customer information and payroll or financial records. Only those who absolutely need to recover such data may do so.
4. Inventory all network computers—including mobile devices. Smartphones and tablets present IT departments with a new challenge for data recovery security and inventory processes. The biggest hurdle? Information on these systems isn’t as easy to identify as traditional files and folders on a desktop or laptop PC. With this in mind, you should spell out in your security policy what data users can access and store on their mobile devices. Consider the increasingly common use of flash drives, CDs, DVDs and other flash memory devices as you develop these rules and regulations.
5. Install security patches and other updates across your enterprise. Technology changes quickly. You don’t want to find that you can’t recover data stored long-term because the technology is outdated or incompatible.
That said, you should update every network machine—desktop computers, laptops, services and mobile devices—with the latest security patches, antivirus software and encryption technology. And don’t forget offsite or third parties systems responsible for data recovery security in this process.
6. Share your data security policy with your customers. When you openly disclose your procedures, you’ll likely boost customer confidence and gain a competitive edge. But exercise prudence in your message. Also, don’t disclose system specifics, such as your encryption measures or data locations.
53% of organizations can tolerate less than an hour of downtime before experiencing significant revenue loss or other adverse business impact. — “ESG Research Review, Data Protection Survey,” Enterprise Strategy Group, April 2010
Do you have questions about data backup and recovery? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s Data Backup and Recovery team. You’ll be connected with a knowledgeable product and services specialist who can address your specific challenges.
Related Content
Mobility and Secure Data Backup Operations: Mutually Exclusive?
Having a Heat Wave? Changes in Climate Really Do Impact Tape Backup Technologies
How to Select a Standout Data Backup Partner