Don’t let a disaster leave your data out in the cold

By Andrew Wild, CSO at Qualys

When we see images from natural disasters like Hurricane Sandy of flooded neighborhoods, downed power lines and destroyed homes the first concern, of course, is for the safety of the people. But as a chief security officer I also think about how disasters affect companies and the vital assets of their business – the data.

Natural disasters are unpredictable. They happen out of the blue and leave no time to prepare. So now – while things are calm -- would be a good time to make sure your data isn’t left to the mercy of the forces of nature. Being prepared means creating information management policies and procedures so that sensitive information remains protected regardless of what happens. This process includes four steps: identifying data that needs to be kept confidential, classifying the sensitivity of it, deciding how it can be best protected and how data left on discarded computer systemscan be kept away from prying eyes.

1) Identification

All data management programs shouldstart with identifying important information resources, which should be tracked throughout their lifecycle. The organization needs to identify not just all the information it has, but how sensitive it is and where it is processed and stored. Sensitive data can find its way into many different types of systems beyond servers and desktops, including printers, copiers, scanners, laptops, cash registers, payment terminals, thumb drives, external hard drives and mobile devices.

2) Classification

Before an organization can classify the sensitivity of information, itmust set policies around data ownership – who is responsible for what data? Employees often believe that the IT department owns all of the organization’s data and is solely responsible for securing it. However, the business unit that creates or uses the data is usually the best candidate for taking on the classification and ownership responsibilities for the data, including naming an owner and a custodian of the information. When making these decisions it is important to consider the impact to the organization that would come if the data were to be lost or inappropriately disclosed. Typically, data is classified into four levels: Public, Internal Use Only, Confidential and Restricted. The classifications should support business requirements and ensure the appropriate level of safeguarding for every type of sensitive information.

3) Handling

Next up is deciding how the different classifications of data should be stored and handled. Typically, the handling processes are defined by the classification level of the resource. The higher the sensitivity, the more stringent the handling procedures should be. For example, organizations will require the most sensitive information to be encrypted, and may prohibit the use of devices like USB flash drives for highly sensitive data because they can be contaminated with malware and easily lost or stolen.

4) Destruction

People who spend a lot of energy protecting sensitive information often neglect to take precautions once they are done with the data or systems on which it is stored. Exposing confidential data by failing to properly sanitize or destroy media like hard drives can be considered a breach subject to state data breach laws. It can put consumers at risk of identity theft and corporations at risk of espionage. As such, it is imperative that information management policies include procedures for proper destruction and disposal of data storage systems. Paper, magnetic tape, optical discs and hard disk drives can all be shredded, making it very difficult to recover the information. For organizations that don’t want to take any chances with highly sensitive information, they can write over data several times or use a degaussing technique on magnetic media to make sure that the original data is not recoverable. There are third parties that offer a range ofservices for wiping data entirely from systems. Interestingly, computers may be destroyed in natural disasters but that doesn’t mean the data on the disk drives can’t be recovered and thus leaked to the outside world if the systems are not handled properly.

I sincerely hope that the victims of Hurricane Sandy have recovered and are rebuilding. For the rest of us, this can serve as a reminder of the need to be prepared with information management policies in the event of a disaster.

Andrew has more than 20 years of experience leading teams to design, implement and operate secure networks and computer systems. As Qualys' Chief Security Officer, Andrew oversees the security, risk management and compliance of its enterprise and SaaS environments. Prior to joining Qualys, he managed a team of information security engineers responsible for the design, implementation and operation of security solutions for EMC's SaaS offerings, with heavy emphasis on cloud and virtualization technologies. Prior to EMC, he was the Chief Security Officer at Transaction Network Services. He has also held a variety of network engineering leadership roles with large network service providers including BT and Sprint. Andrew has a master's degree in electrical engineering from George Washington University and a bachelor's degree in electrical engineering from the United States Military Academy. He is a veteran of the United States Army and served in Operations Desert Shield and Desert Storm.