Most organizations have a set of policies related to information security. From acceptable usage to user provisioning to wireless networks, almost every aspect of IT is addressed. That's fine and good, but there's a problem that's leaving a lot of organizations at risk. And that is, security policies rarely address the storage environment, or if they do, they fall short of addressing real-world storage needs.
Generally, many IT pros believe that storage systems are safe and sound working in the background where they are secured from the elements. This may have been the case in the past, but in reality, back-end storage devices are being exposed more and more to those who abuse their privileges or use hacking tools to gain access. These vulnerabilities pose business risks that fall within the scope of your organization's compliance requirements.
Knowing which policies are right for your organization requires understanding of what's at risk. This information can be gleaned from a recent information risk assessment or an audit. Once you understand where the gaps are, you'll need to decide whether you should create separate storage-related policies or simply integrate storage components within the scope of your existing policies. I recommend the latter, if possible, for several reasons. Policies themselves are difficult enough to manage, but when you have separate sets of policies that fall within the scope of IT, a lot of unnecessary work is created. There's also too little accountability and finger pointing. I frequently see policies that one person or niche group "owns," which end up being unenforceable, overlooked and forgotten. Bottom line: make sure both sets of policies are consistent in formatting, management and enforcement.
The ISO/IEC 17799:2005 standard clearly outlines what's needed when it comes to information security policies: management support, direction relative to business requirements and coverage across the organization. All other security standards and practices, such as those from NIST and SANS, recommend the same thing. Don't reinvent the wheel -- that'll turn you off policies quicker than anything. Instead, take the advice that's already been documented in these standards and apply them directly to your storage security needs.
Creating storage-specific security policies does't mean you'll have a truly secure environment. It will, however, show auditors, regulators and external consultants performing security assessments that you have taken the initiative to protect your data as business risks continue to evolve. It's not necessarily fun or sexy or exciting, but security policies addressing your storage systems need to be in place -- why not go ahead and get rolling now?
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments revolving around compliance and risk management. Kevin can be reached at kbeaver at principlelogic.com.