An independent study by the Ponemon Institute, a privacy and information management research firm, has unveiled a Data Security Checklist for vetting third-party data recovery service providers. The study, “Security of Data Recovery Operations,” conducted among IT security and IT support practitioners, is the first national study published on the security of data recovery operations for businesses and government organizations. DriveSavers is the only data recovery company worldwide that meets all the security requirements on the checklist.
Paul Reymann, CEO of Reymann Group and one of the nation’s foremost experts in regulatory compliance and information risk management comments, “The lack of information security protocols and practices in the vetting, selecting and use of data recovery service providers is not a potential problem-it’s a real problem! The checklist is a prudent solution to help ensure data recovery vendors protect sensitive data during the data recovery process.”
For companies that already have a strong vendor risk management program, mandated vendor management practices apply to all stages of the information life-cycle. CompuCom Systems, Inc., the leading IT outsourcing specialist, and Lawrence Livermore National Laboratory (LLNL) have extremely stringent security protocol and auditing processes for their third-party vendors. DriveSavers Data Recovery has experienced firsthand and passed the stringent security protocols of CompuCom and LLNL which include each of the requirements listed in the Data Security Checklist below.
“Lawrence Livermore National Laboratory’s data security standards are based on the National Institute of Standards and Technology’s (NIST) recommendations. We strive to ensure that our mission critical data handled by third-party vendors is protected at a level equivalent to the standards we hold for ourselves,” said Neda Gray, CISSP, Information Systems Security Officer for Operations and Business at LLNL. “We periodically require an exhaustive security assessment of our third-party vendors.”
“Data security standards are set high by CompuCom to ensure that our customer’s data is never vulnerable,” said Dave Borgese, vice president at CompuCom Systems. “We require an exhaustive security assessment of all our third-party vendors. DriveSavers is SOC 2 Type II compliant and is guarded by a ‘defense-in-depth’ network architecture which provides the level of data security we promise to our customers.”
Not all companies have this level of security protocols in place for working with third-party vendors. The Ponemon Institute’s study confirms that there is a major gap in security protocols when selecting data recovery service providers.
Here is the recommended checklist that should be used for vetting third-party data recovery service providers. Data recovery service providers should follow these protocols:
- Proof of internal information technology controls and data security safeguards, such as an annual SOC 2 Type II audit
- Engineers trained and certified in all leading encryption software products and platforms
- Proof of chain-of-custody documentation and certified secure network
- Vetting and background checks of its employees
- Secure and permanent data destruction when required
- Use of encryption for data files in transit
- Proof of Certified ISO Class 5 Cleanroom