The compliance payoffs for securing vulnerable information at rest

Most organizations, large and small, are affected by some type of law or regulation dealing with information privacy and security. As I've highlighted in a previous tip, some of the greatest security risks revolve around information at rest. When it's all said and done, virtually every information privacy and security law and regulation in the U.S., Canada, Europe and elsewhere requires in some way that sensitive information at rest (health information, financial information, financial reporting information, etc.) be protected in reasonable ways. It's really the most fundamental of all protection requirements.

Related information Symantec fixes 'critical' Veritas flaw Strategic Storage: Storage security -- Change old habits and stop data theft EMC sketches out security strategy Top five security questions to ask storage vendors

Whether the threat comes in the form of malicious insiders, malware or hackers, businesses can't afford to not protect this information. There's simply too much too lose -- especially when it comes to some of the severe fines and jail time associated with noncompliance with recent regulations.

Various proven safeguards and countermeasures exist for the protection of information at rest, but you can't really implement and manage them effectively without some business justification. Ideally, business needs and risk management should drive the need for information security -- not solely regulatory compliance requirements. In fact, recent surveys show that regulatory compliance is less of a driver for security spending than many anticipated.

Regardless, it's got to be done sooner or later. Here are some business-focused benefits of compliance you can use to sell security within your organization and show that value can be attained by ensuring the proper controls are in place for sensitive information at rest:

• Hold people accountable via unique user IDs, separation of duties, etc.
• Create another layer of security through the use of dedicated -- and properly secured -- storage systems in the form of NAS, SANs and SAS devices.
• Demand that employees incorporate security into their daily jobs via secure password management, least privilege permission assignments, proper data handling and more.
• Hold data owners responsible for tracking down where sensitive data is stored (it's often in very unlikely places such as workstation temp directories and user's Documents and Settings folders in Windows) and that proper oversight of this data is taking place.
• Management needs to show that due care is taken to secure sensitive information on workstations, servers and mobile devices when least privilege permissions and other access controls have been put in place.
• Database and storage administrators can feel good about going above and beyond the call of duty by encrypting files, database tables or entire drives that contain information that should not be accessed in an unauthorized fashion.
• Accountability (or vindication) follows suit in the event of a breach when proper audit logging is taking place.
• If a disaster strikes, information that must be protected is restored with backups that are administered and tested properly.

I'm a big advocate of keeping things simple and practical. Perfecting the security of your data at rest is not necessary at first and will likely prove elusive moving forward. I challenge you to spend your efforts and budget wisely on the latest 'compliant-ready' products and spend more on the security controls you already have at your disposal.

Focus on the areas that need the most attention (likely the corralling of stray information and improper file permissions) and then create a good plan, show that progress is being made and drill down over time. This will show that your organization is doing the right thing, keep employees on the up and up and help executives stay out of trouble. These are payoffs you can't refuse.

For more information:

Storage vulnerabilities you can't afford to miss

Rate this Tip To rate tips, you must be a member of SearchStorage.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Data storage management,   Data Storage Management,   Data storage compliance and archiving,   Data storage compliance,   Data Storage Basics,   Data storage management,   Secure data storage,   Data Protection,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Data storage management Optimizing enterprise data storage capacity and performance to reduce your data footprint Is data deduplication right for your primary storage infrastructure? Fail-in-place systems: Avoiding hard disk drive failures Data storage resources needed to implement a virtual desktop infrastructure Storage encryption essentials Addressing storage performance bottlenecks in enterprise data storage Data archiving: Three key elements Archiving data to cloud storage: How to choose the right cloud storage provider How to buy a blade server Tips for an effective data deduplication implementation Data storage compliance and archiving Dexrex Gear offers cloud instant messaging and social media data archiving EMC lays out data archiving and eDiscovery plans Storage Decisions: Pros and cons of cloud storage technology Storage Decisions: Storage managers must explain retention, email archiving and compliance Choosing a storage system for data archiving Mimosa Systems adds case management tool to NearPoint 4.0 data archiving software Mimosa NearPoint, LiveOffice Mail Archive offer hybrid SaaS email archiving approach HP resizes its ExDS9100 scale-out NAS system; finds market broader than original Web 2.0 target New data archiving products focus on software-only delivery, cloud integration Email archiving strategies: Five best practices Data storage compliance and archiving Research Data storage compliance Are you ready for new compliance rules? Storage IQ: Compliance Data storage compliance's impact on storage product choices Understanding compliance: Beyond data protection Archiving unstructured data Choosing a compliance archiving tool RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary litigation hold  (SearchStorage.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.