How to reduce risk with storage security policies

Most organizations have a set of policies related to information security. From acceptable usage to user provisioning to wireless networks, almost every aspect of IT is addressed. That's fine and good, but there's a problem that's leaving a lot of organizations at risk. And that is, security policies rarely address the storage environment, or if they do, they fall short of addressing real-world storage needs.

Generally, many IT pros believe that storage systems are safe and sound working in the background where they are secured from the elements. This may have been the case in the past, but in reality, back-end storage devices are being exposed more and more to those who abuse their privileges or use hacking tools to gain access. These vulnerabilities pose business risks that fall within the scope of your organization's compliance requirements.

More storage security information Look at the big IT picture to ensure storage security  Storage encryption: How much is enough?  How to secure laptops in seven steps

You can look at policies as being a requirement of the laws and regulations your organization is undoubtedly up against, but there's more to it than simply letting the government and other regulatory bodies drive your business. Instead, there are several business reasons for reworking your existing storage security policies to address your storage risks. First of all, you as the storage or network administrator are more plugged in to the information security function. I feel strongly that more than one person needs to be responsible for managing security risks. By getting others involved in policy management, you'll be able to create better policies that address business needs. As a bonus, it will help take a load off your plate. You'll also gain the visibility of upper management, which is great for security buy-in and your IT/storage budget.

Knowing which policies are right for your organization requires understanding of what's at risk. This information can be gleaned from a recent information risk assessment or an audit. Once you understand where the gaps are, you'll need to decide whether you should create separate storage-related policies or simply integrate storage components within the scope of your existing policies. I recommend the latter, if possible, for several reasons. Policies themselves are difficult enough to manage, but when you have separate sets of policies that fall within the scope of IT, a lot of unnecessary work is created. There's also too little accountability and finger pointing. I frequently see policies that one person or niche group "owns," which end up being unenforceable, overlooked and forgotten. Bottom line: make sure both sets of policies are consistent in formatting, management and enforcement.

The ISO/IEC 17799:2005 standard clearly outlines what's needed when it comes to information security policies: management support, direction relative to business requirements and coverage across the organization. All other security standards and practices, such as those from NIST and SANS, recommend the same thing. Don't reinvent the wheel -- that'll turn you off policies quicker than anything. Instead, take the advice that's already been documented in these standards and apply them directly to your storage security needs.

Creating storage-specific security policies does't mean you'll have a truly secure environment. It will, however, show auditors, regulators and external consultants performing security assessments that you have taken the initiative to protect your data as business risks continue to evolve. It's not necessarily fun or sexy or exciting, but security policies addressing your storage systems need to be in place -- why not go ahead and get rolling now?

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments revolving around compliance and risk management. Kevin can be reached at kbeaver at principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchStorage.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    << PREVIOUS | NEXT >>: How to secure laptops in seven steps VIEW ALL IN THIS CATEGORY RELATED CONTENT Secure data storage Storage Decisions New York 2008 Session Downloads Storage Decisions Session Downloads: Disaster Recovery Track (New York 2008) Our View: Whom do you trust? Brocade bolsters security with fabric-based encryption switch Get a grip on encryption keys What is the most interesting recent development in data protection technology? Why are Storage as a Service vendors targeting secondary storage applications? Why are dense storage platforms like storage grids becoming popular? How will the market for virtual tape libraries change? Any unexpected developments in the data protection market? Data storage management How to forge the perfect relationship with your enterprise storage vendor Server virtualization may have big disaster recovery payoff SAN vs. NAS Storage: What's the difference? How to make your storage greener RAID 6 vs. RAID 10 Top 5 storage management tips of 2007 How to mitigate the performance penalties of data encryption software Tutorial: Creating a tiered SAN architecture Avoiding storage-related bottlenecks in virtualized environments Ten reasons storage security is critical Related information Ten reasons storage security is critical How to secure laptops in seven steps Laptop encryption the hard(ware) way RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary hard drive shredder  (SearchStorage.com) Storage as a Service (SaaS)  (SearchStorage.com) storage encryption  (SearchStorage.com) storage security  (SearchStorage.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.