How to reduce risk with storage security policies

This tip outlines the importance of storage security policies and offers advice on how to make sure your storage security policies reflect real-world storage needs.

What you will learn: This tip outlines the importance of storage security policies and offers advice on how to make sure your storage security policies reflect real-world storage needs.

Most organizations have a set of policies related to information security. From acceptable usage to user provisioning to wireless networks, almost every aspect of IT is addressed. That's fine and good, but there's a problem that's leaving a lot of organizations at risk. And that is, security policies rarely address the storage environment, or if they do, they fall short of addressing real-world storage needs.

Generally, many IT pros believe that storage systems are safe and sound working in the background where they are secured from the elements. This may have been the case in the past, but in reality, back-end storage devices are being exposed more and more to those who abuse their privileges or use hacking tools to gain access. These vulnerabilities pose business risks that fall within the scope of your organization's compliance requirements.

More storage security information
Look at the big IT picture to ensure storage security 

Storage encryption: How much is enough? 

How to secure laptops in seven steps
You can look at policies as being a requirement of the laws and regulations your organization is undoubtedly up against, but there's more to it than simply letting the government and other regulatory bodies drive your business. Instead, there are several business reasons for reworking your existing storage security policies to address your storage risks. First of all, you as the storage or network administrator are more plugged in to the information security function. I feel strongly that more than one person needs to be responsible for managing security risks. By getting others involved in policy management, you'll be able to create better policies that address business needs. As a bonus, it will help take a load off your plate. You'll also gain the visibility of upper management, which is great for security buy-in and your IT/storage budget.

Knowing which policies are right for your organization requires understanding of what's at risk. This information can be gleaned from a recent information risk assessment or an audit. Once you understand where the gaps are, you'll need to decide whether you should create separate storage-related policies or simply integrate storage components within the scope of your existing policies. I recommend the latter, if possible, for several reasons. Policies themselves are difficult enough to manage, but when you have separate sets of policies that fall within the scope of IT, a lot of unnecessary work is created. There's also too little accountability and finger pointing. I frequently see policies that one person or niche group "owns," which end up being unenforceable, overlooked and forgotten. Bottom line: make sure both sets of policies are consistent in formatting, management and enforcement.

The ISO/IEC 17799:2005 standard clearly outlines what's needed when it comes to information security policies: management support, direction relative to business requirements and coverage across the organization. All other security standards and practices, such as those from NIST and SANS, recommend the same thing. Don't reinvent the wheel -- that'll turn you off policies quicker than anything. Instead, take the advice that's already been documented in these standards and apply them directly to your storage security needs.

Creating storage-specific security policies does't mean you'll have a truly secure environment. It will, however, show auditors, regulators and external consultants performing security assessments that you have taken the initiative to protect your data as business risks continue to evolve. It's not necessarily fun or sexy or exciting, but security policies addressing your storage systems need to be in place -- why not go ahead and get rolling now?

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments revolving around compliance and risk management. Kevin can be reached at kbeaver at principlelogic.com.

This was first published in August 2007

Dig deeper on Secure data storage

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSolidStateStorage

SearchVirtualStorage

SearchCloudStorage

SearchDisasterRecovery

SearchDataBackup

Close