Fast • Reliable • Certified • Secure • Data Recovery

Does Your Enterprise Have A

Security Gap ?

HDI Sacramento Chapter August 16th, 2011

Fast • Reliable • Certified • Secure • Data Recovery

What Is The Data Security Gap?

How Can You Close That Gap?

Questions & Answers

Agenda

Fast • Reliable • Certified • Secure • Data Recovery

All Storage Devices Fail

Fast • Reliable • Certified • Secure • Data Recovery

I NEED MY DATA NOW!

Fast • Reliable • Certified • Secure • Data Recovery

Main Causes of Device Failure and Data Loss

Hardware Failure RequiresProfessional Data Recovery

Fast • Reliable • Certified • Secure • Data Recovery

Who Can You Trust?

Fast • Reliable • Certified • Secure • Data Recovery

Ponemon Institute Survey:

• First national study on security of data recovery operations

• 636 IT Security/IT Support professionals surveyed• All verticals, including business and government• Focus on third-party data recovery services• Goal: Confirm or dispel belief that confidential and

sensitive data may be at risk when in the possession of a disreputable third-party data recovery service provider.

The Risk of Choosing theWrong Recovery Vendor

Fast • Reliable • Certified • Secure • Data Recovery

Myth Buster: “We never send data out for recovery!”

Source: The Ponemon Institute Study: “Security of Data Recovery Operations”

Fast • Reliable • Certified • Secure • Data Recovery

Surprise Factor:Loss of Sensitive Data Drives Vendor Engagements

Source: The Ponemon Institute Study: “Security of Data Recovery Operations”

Fast • Reliable • Certified • Secure • Data Recovery

Known Factor:Data Recovery Vendors Selected by IT Support

Source: The Ponemon Institute Study: “Security of Data Recovery Operations”

Fast • Reliable • Certified • Secure • Data Recovery

Risk Factor:IT Security Not Involved In Selection Process

Source: The Ponemon Institute Study: “Security of Data Recovery Operations”

Fast • Reliable • Certified • Secure • Data Recovery

83% reported a breach

19% breached at data recovery vendor

43% due to vendor’s lack of security protocols

Data Recovery Providers Could Put Your Data at Risk

Source: The Ponemon Institute Study: “Security of Data Recovery Operations”

Fast • Reliable • Certified • Secure • Data Recovery

The Smoking Gun

Fast • Reliable • Certified • Secure • Data Recovery

Closing the Data Security Gap

Fast • Reliable • Certified • Secure • Data Recovery

NIST Special Publication (SP) 800-34 Updated language to Section 5.1.3

“Organizations may use third-party vendors to recover data from failed storage devices. Organizations should consider the security risk of having their data handled by an outside company and ensure that proper security vetting of the service provider is conducted before turning over equipment. The service provider and employees should sign non discloser agreements, be properly bonded, and adhere to organization-specific security policies."

Source: Contingency Planning Guide for Federal Information Systems, Section 5.1.3: Protection of Resources

New NIST Guideline: Proper Security Vetting

Fast • Reliable • Certified • Secure • Data Recovery

BITS/Financial Roundtable/Shared Assessments• Standardized Information Gathering (SIG) tool (SIG.V6)

updated October, 2010

Do third party vendors have access to Scoped Systems and Data? (backup vendors, service providers, equipment support maintenance, software maintenance vendors, data recovery vendors, etc)? If so, is there:

• Security review prior to engaging their services (logical, physical, other corp controls)

• Security review at least annually, on an ongoing basis

• Risk assessments or review

• Confidentiality and/or Non Disclosure Agreement requirements

• Requirement to notify of changes that might affect services rendered

SIG/AUP Auditing Tools

Fast • Reliable • Certified • Secure • Data Recovery

FDIC• Action items discussed

• Internal memo to be distributed to FDIC Examiners• Letter to be distributed to Financial Institutions

• Updates to FFIEC handbook

FDIC Vendor Mgt Guidelines

Fast • Reliable • Certified • Secure • Data Recovery

Negligent or unethical data recovery technicians Unprotected networks housing restored data files Lost or compromised data during transit Switch-up of client data Improper disposal of unwanted storage devices Recovered data returned with viruses or malware

Risk Points During Data Recovery

Fast • Reliable • Certified • Secure • Data Recovery

Vet Your Data Recovery Vendors

Fast • Reliable • Certified • Secure • Data Recovery

Demand Proof: Proof of internal information technology controls and data security

safeguards, such as SAS 70 Type II audit reports Certification by leading encryption software companies Proof of chain-of-custody protocols and certified secure network Vetting and background checks of all employees Secure and permanent data destruction when required Use of encryption for data files in transit Proof of a certified ISO-5 (Class 100) Cleanroom

Source: The Ponemon Institute Study: “Security of Data Recovery Operations”

Checklist for Vetting Data Recovery Vendors

Fast • Reliable • Certified • Secure • Data Recovery

Technology

Certifications

Protocols

DriveSavers Best Practices

Fast • Reliable • Certified • Secure • Data Recovery

We Can Save It!

Fast • Reliable • Certified • Secure • Data Recovery

Choose Your Service Option

Fast • Reliable • Certified • Secure • Data Recovery

Live 24/7 Support

Fast • Reliable • Certified • Secure • Data Recovery

Approved GSA Contractor - #GS-35F-0121S

• Annual SAS 70 II Security Audits• High Security Service Available• Certified to recover encrypted data• DOD-approved data erasure process

Fast • Reliable • Certified • Secure • Data Recovery

Recap

Data loss does occur Data recovery companies are used often Critical data is at risk of breach You can close the security gap Vet the security protocols of data

recovery service providers

Fast • Reliable • Certified • Secure • Data Recovery

Q & A

Fast • Reliable • Certified • Secure • Data Recovery

Michael Hall, CISOmichael.hall@drivesavers.com

415.382.8000 ext 126

Rob Matheson

Corporate Account ExecutiveRob.matheson@drivesavers.com

415.382.8000 ext 136

Thank you