1 / 28

Does Your Enterprise Have A Security Gap ?

HDI Sacramento Chapter August 16th, 2011. Does Your Enterprise Have A Security Gap ?. Agenda. What Is The Data Security Gap? How Can You Close That Gap? Questions & Answers. All Storage Devices Fail. I NEED MY DATA NOW!. Hardware Failure Requires Professional Data Recovery.

hal
Télécharger la présentation

Does Your Enterprise Have A Security Gap ?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HDI Sacramento Chapter August 16th, 2011 Does Your Enterprise Have A Security Gap ?

  2. Agenda What Is The Data Security Gap? How Can You Close That Gap? Questions & Answers

  3. All Storage Devices Fail

  4. I NEED MY DATA NOW!

  5. Hardware Failure RequiresProfessional Data Recovery Main Causes of Device Failure and Data Loss

  6. Who Can You Trust?

  7. The Risk of Choosing theWrong Recovery Vendor Ponemon Institute Survey: First national study on security of data recovery operations 636 IT Security/IT Support professionals surveyed All verticals, including business and government Focus on third-party data recovery services Goal: Confirm or dispel belief that confidential and sensitive data may be at risk when in the possession of a disreputable third-party data recovery service provider.

  8. Myth Buster: “We never send data out for recovery!” Source: The Ponemon Institute Study: “Security of Data Recovery Operations”

  9. Surprise Factor:Loss of Sensitive Data Drives Vendor Engagements Source: The Ponemon Institute Study: “Security of Data Recovery Operations”

  10. Known Factor:Data Recovery Vendors Selected by IT Support Source: The Ponemon Institute Study: “Security of Data Recovery Operations”

  11. Risk Factor:IT Security Not Involved In Selection Process Source: The Ponemon Institute Study: “Security of Data Recovery Operations”

  12. Data Recovery Providers Could Put Your Data at Risk 83% reported a breach 19% breached at data recovery vendor 43% due to vendor’s lack of security protocols Source: The Ponemon Institute Study: “Security of Data Recovery Operations”

  13. The Smoking Gun

  14. Closing the Data Security Gap

  15. New NIST Guideline: Proper Security Vetting NIST Special Publication (SP) 800-34 • Updated language to Section 5.1.3 “Organizations may use third-party vendors to recover data from failed storage devices. Organizations should consider the security risk of having their data handled by an outside company and ensure that proper security vetting of the service provider is conducted before turning over equipment. The service provider and employees should sign non discloser agreements, be properly bonded, and adhere to organization-specific security policies." Source: Contingency Planning Guide for Federal Information Systems, Section 5.1.3: Protection of Resources

  16. SIG/AUP Auditing Tools BITS/Financial Roundtable/Shared Assessments • Standardized Information Gathering (SIG) tool (SIG.V6) updated October, 2010 Do third party vendors have access to Scoped Systems and Data? (backup vendors, service providers, equipment support maintenance, software maintenance vendors, data recovery vendors, etc)? If so, is there: • Security review prior to engaging their services (logical, physical, other corp controls) • Security review at least annually, on an ongoing basis • Risk assessments or review • Confidentiality and/or Non Disclosure Agreement requirements • Requirement to notify of changes that might affect services rendered

  17. FDIC Vendor Mgt Guidelines FDIC • Action items discussed • Internal memo to be distributed to FDIC Examiners • Letter to be distributed to Financial Institutions • Updates to FFIEC handbook

  18. Risk Points During Data Recovery • Negligent or unethical data recovery technicians • Unprotected networks housing restored data files • Lost or compromised data during transit • Switch-up of client data • Improper disposal of unwanted storage devices • Recovered data returned with viruses or malware

  19. Vet Your Data Recovery Vendors

  20. Checklist for Vetting Data Recovery Vendors Demand Proof: Proof of internal information technology controls and data security safeguards, such as SAS 70 Type II audit reports Certification by leading encryption software companies Proof of chain-of-custody protocols and certified secure network Vetting and background checks of all employees Secure and permanent data destruction when required Use of encryption for data files in transit Proof of a certified ISO-5 (Class 100) Cleanroom Source: The Ponemon Institute Study: “Security of Data Recovery Operations”

  21. DriveSavers Best Practices Technology Certifications Protocols

  22. We Can Save It!

  23. Choose Your Service Option

  24. Live 24/7 Support

  25. Approved GSA Contractor - #GS-35F-0121S • Annual SAS 70 II Security Audits • High Security Service Available • Certified to recover encrypted data • DOD-approved data erasure process

  26. Recap • Data loss does occur • Data recovery companies are used often • Critical data is at risk of breach • You can close the security gap • Vet the security protocols of data recovery service providers

  27. Q & A

  28. Thank you Michael Hall, CISO michael.hall@drivesavers.com 415.382.8000 ext 126 Rob Matheson Corporate Account Executive Rob.matheson@drivesavers.com 415.382.8000 ext 136

More Related