Government regulations affect businesses of all sizes. Compliance standards such as the Sarbanes-Oxley Act (SOX), HIPAA, Graham-Leach-Bliley Act and The Patriot Act all have one major aspect in common for small-midsized businesses (SMBs): the requirement to secure customer, employee and vendor information and data. Federal compliance is as complex for the SMB as it is for the large enterprise. However, if smaller businesses focus on implementing a secure business and technology storage environment, they will be well on their way to meeting the required standards.
Security is a multifaceted practice that requires visibility into internal and external information flows of the company, including online data storage and archives. To achieve a secure business and technical environment, companies need to start with understanding their business process flows from start to finish.
With a comprehensive understanding of how confidential information is gathered, disseminated, stored, accessed and archived, SMBs can identify their data storage security strengths and weaknesses. This information provides businesses with an identified starting point for enhancing their internal security policies. This initial first step also provides the foundation for developing and establishing a documented security policy, which is a requirement for compliance.
When securing and storing sensitive data, SMBs should look into the following internal areas:
- Implement storage security with access controls. In a world of virtual and mobile workers, applications in the cloud and ubiquitous network access, defining and establishing role-based access controls to store and archive company information is critical. SMBs need to identify, define and establish who needs to have electronic access to real-time and stored information.
- Establish physical access controls for all storage sources. Just as the firm has defined role-based electronic access to sensitive information, it also needs to establish access to the physical equipment. All of the storage devices need to be secured from broad access. In addition, laptops, PDAs and intelligent mobile devices need to have security software installed that prevents random access to the content. Theft of mobile devices is on the rise and the ability to remotely secure them needs to be part of the firm's security policy.
- Develop a written storage policy for the company and enforcing it. SMBs need a written storage policy that all employees are made aware of and is enforced. The written policy must include type and frequency of backups of critical files, folders and software, who is responsible for conducting the backups, who is responsible for securing the data set, how the data will be secured, and for how long. The written storage policy must include information regarding the use of USB storage devices. There are several thumb drives on the market that also provide AES-based encryption. IronKey, Kingston Technology Co. and SanDisk Corp. all manufacture secure USB storage devices. The written storage policy needs to include approved vendor devices to ensure maximum compliance.
- Be extra sensitive about smart phones as storage devices. Smart phones and PDAs provide employees the opportunity to store highly sensitive information at their fingertips, such as customer and vendor contact information. These devices also provide links and access directly back to the company's email server and network. Smart phones and PDAs, while supporting increased productivity, are also a security risk. At a minimum, the company's storage security policy must mandate that these devices enable the password protection capabilities that are embedded. For additional security features, such as remote wiping capabilities due to loss or theft, consider implementing solutions available from Bluefire Security Technologies, Credant Technologies or Trust Digital.
- Leverage your technology partners' expertise. Whether you store and secure your customer and employee data in-house or use a service provider, there isn't a single piece of hardware or software you can install to be compliant with all regulations. Part of a service provider's responsibility is to stay up-to-date on storage solutions, emerging legislation and how changes in these markets impact their customers. Leverage your technology partners' vast expertise and use them in an advisory capacity. Communicating your storage and security needs with your business partners will strengthen and enhance the relationship. Their goal is to provide support to their customers. Let them do that by communicating your business needs.
These are a few areas where a company needs to be sensitive to its storage security policy. Security is not a one-time implementation and must be viewed as an ongoing practice. Secure business practices improve a firm's ability to demonstrate its compliance with regulations. Heightened storage security awareness and practices can also add to enhanced customer confidence and potentially attract new business.
Martha Young is co-founder and CEO of Nova Amber LLC, a business consulting company specializing in business process virtualization. She has co-authored three books on virtual business processes: "The Case for Virtual Business Processes," "The Virtual Worker's Handbook" and "iExec Enterprise Essentials Companion Guide."