|
Information Risk Management - Storage Security Best Practices
The SNIA Storage Security Industry Forum (SSIF) delivers education on storage and security to a worldwide audience with their SSIF Speakers Bureau and storage security presentations. Working with end user groups, the SSIF has noted the increasing concern over information risk management, and has developed educational materials that describe a variety of ways to address this very important area. This article summarizes the key points in the SSIF presentation "Information Risk Management", and offers links for more information. The SSIF will be presenting "Information Risk Management" at a variety of venues over the next few months. Check the SSIF website at www.snia.org/ssif for the latest event calendar.
With the average cost of a privacy breach hovering around $200 per compromised record, information risk is grabbing the attention of individuals and departments around the corporation. Protecting information is a key focus of IT executives, and 63% rate compliance with regulations is a top challenge. With the average legal discovery request costing $150,000 - $250,000, what to retain and for how long keeps the midnight oil burning for records managers. And keeping information resilient - always available when you need it -can help IT mitigate the cost of downtime, now up to 16% of revenue in some industries.1
Recent market trends also impact the IT environment. It's no surprise that new forms of information, including mobile, audio, and video data, need seamless access. Planned activities like corporate mergers and acquisitions, and unplanned activities such as environmental disasters and terror threats, demand risk mitigation. Increased energy costs require IT optimization for better return on investment (ROI). And all trends exact the flexibility to handle increasing volumes of data integrated across the company and linked with partners and suppliers.
When the goal is to manage information risk, storage security experts recommend building an information-centric infrastructure. IT professionals can look to four goalposts for guidance on the activities needed to ensure successful construction. The document "SNIA's Storage Security Best Current Practices (BCPs) Version 2.0," available at the SSIF website, provides vendor-neutral guidance on both core and technology specific practices to reach the four goals.
Information Security
The goal of information security is to enable IT to protect and securely share information across the enterprise, its partners, and customers. Information security can be accomplished by protecting data in motion with removable media, protecting laptops, implementing industry standard encryption for storage infrastructures, and integrating policies for access management.
SNIA's Storage Security BCPs outline steps to achieve information security in the categories of general storage security (GEN), storage systems security (SSS), storage management security (SMS), fibre channel storage (FCS), encryption for storage (ENC), and key management for storage (KMS).
Information Integrity
The goal of information integrity is to reduce reputation risk, costs, and audit deficiencies. Implementing data governance methods, such as audit trails from using encryption and keys, can drive compliance reporting. Encrypted data can be destroyed by the use of keys, eliminating the need to physically destroy the medium and mitigating the risk of human error. Authentication and provenance of data largely outside of the storage layer must be practiced. SNIA's Storage Security BCPs outline steps to achieve information integrity in the categories of general storage security (GEN), storage systems security (SSS), encryption for storage (ENC), and key management for storage (KMS).
Information Retention
The goal of information retention is to support chronological and event-based retention policies. IT professionals can ensure that retention periods are implemented and enforced. Data is destroyed via physical inventory and destruction policies. An audit trail must be kept for verification. Encrypted data is easily destroyed via key management.
SNIA's Storage Security BCPs outline steps to achieve information retention in the categories of addressing data security compliance (GEN05), securing the active archive (ARC01.A), and providing governance and compliance functionality (ARC01.B).
Information Resiliency
The goal of information resiliency is to deliver continuous and reliable access to information. IT should ensure that a highly available key management service can be deployed, scenarios have robust key recovery and disaster support, and key recovery activities include access to labels and other meta-data in the clear.
SNIA's Storage Security BCPs outline steps to achieve information resiliency in the categories of general storage systems security (GEN) and storage systems security (SSS).
For more information on SSIF, its programs like the Best Current Practices, the SSIF Knowledge Center, and upcoming events where you can see "Information Risk Management" live, visit the Storage Security Industry Forum website at www.snia.org.
1 Sources: CIO Magazine survey 2007; IBM Tivoli Market needs and profiling study 2005; The Costs of Enterprise Downtime: NA Vertical Markets 2005" Information Research; IBM Market Intelligence
|
