Information Security Buzz: Best Security Practices for Data Recovery

Managing the risk of a data breach in today’s environment of mounting digital threats on assets and proprietary data is an ongoing battle for many businesses. The Ponemon Institute’s 2014 Cost of Data Breach study found that the average cost of an organization’s single data breach is $5.9 million. While most businesses have a dynamic, layered security practice in place, third-party data recovery vendors continue to be the exception.

There are many reasons businesses need to protect themselves from a possible data breach via third-party data recovery providers. Besides the loss of private information (both company and customer), the cost of a data breach can be devastating to any company.

DriveSavers, the leader in data recovery, eDiscovery and digital forensic solutions has compiled best practices for businesses to implement for protection and to close the security gap in the data recovery process.

1. Gap Analysis

An internal inventory must be conducted to determine if a security gap exists within an organization. A company should be able to answer the following questions:

• When a storage system fails, is the drive sent to a data recovery vendor?
• Is an incident report filed?
• What is the data recovery vendor selection criterion?
• What is the current audit and assessment process for third-party data recovery vendors?

2. Internal and External Policy Revision

Once a security gap is identified, internal procedures should be revised accordingly to include business continuity, disaster recovery and incident response plans. Additionally, updated external policies should be applied to all third-party data recovery vendors handling the organization’s sensitive or regulated data.

3. Maintain Enforcement

Revising policy, procedure and practice to mitigate the gap is the first step. However, companies must ensure enforcement of internal and external policies through mandatory annual security reviews and employee training deployment.

4. Vet Any Incoming Third-Party Data Recovery Providers

Any certified data recovery vendor should have up-to-date documents from a third-party security auditing company that comply with SOX and GLBA. An SOC II Type 2 certification, for example, satisfies these and several other regulations. In addition, the SOC II Type 2 certification requires background checks for all employees prior to employment. Data recovery, after all, is the perfect vocation for identity thieves and other criminals.
The following criterion should be used:

• Proof of internal information technology controls and data security safeguards, such as annual SOC 2 Type II audits
• Training and awareness programs for employees to ensure sensitive and confidential data is protected
• Engineers trained and certified in all leading encryption software products and platforms
• Proof of Chain of Custody documentation and certified secure network
• Vetting and background checks of all employees
• Secure and permanent data destruction when required
• Use of encryption for files in transit
• Proof of a certified ISO Class 5 Cleanroom

By implementing these four steps, companies can protect themselves against a data breach by closing the security gap in the data recovery process. With a thoroughly vetted data recovery company as part of the security protocol of a business continuity, disaster recovery and incident response plan, companies are able to act quickly and securely in the case of an unexpected data loss emergency.

Do you have any tried and true security practices your business has implemented?

About DriveSavers Data Recovery

DriveSavers Data Recovery is a worldwide leader in data recovery, eDiscovery and digital forensic services, and provides one of the fastest, most secure and reliable recovery services available. The company employs over 90 professionals and supports over 20,000 business partners. Most of its business comes from referrals and repeat customers. DriveSavers Data Recovery has earned the reputation as a trusted and respected data recovery service provider.