Page 50 - index
P. 50
"./ " 0-&/3 - /& ". #+- / " +1"-3
Managing the risk of a data breach in today’s environment of mounting digital threats on assets
and proprietary data is an ongoing battle for many businesses. The Ponemon Institute’s 2014
Cost of Data Breach study found that the average cost of an organization’s single data breach is
$5.9 million. While most businesses have a dynamic, layered security practice in place, third-
party data recovery vendors continue to be the exception.
There are many reasons businesses need to protect themselves from a possible data breach
via third-party data recovery providers. Besides the loss of private information (both company
and customer), the cost of a data breach can be devastating to any company.
DriveSavers has compiled best practices for businesses to implement for protection and to
close the security gap in the data recovery process.
1. Gap Analysis
An internal inventory must be conducted to determine if a security gap exists within an
organization. A company should be able to answer the following questions:
a. When a storage system fails, is the drive sent to a data recovery vendor?
b. Is an incident report filed?
c. What is the data recovery vendor selection criterion?
d. What is the current audit and assessment process for third-party data recovery vendors?
2. Internal and External Policy Revision
Once a security gap is identified, internal procedures should be revised accordingly to include
business continuity, disaster recovery and incident response plans. Additionally, updated
external policies should be applied to all third-party data recovery vendors handling the
organization’s sensitive or regulated data.
3. Maintain Enforcement
Revising policy, procedure and practice to mitigate the gap is the first step. However,
companies must ensure enforcement of internal and external policies through mandatory annual
security reviews and employee training deployment.
4. Vet Any Incoming Third-Party Data Recovery Providers
Any certified data recovery vendor should have up-to-date documents from a third-party security
auditing company that comply with SOX and GLBA. An SOC II Type 2 certification, for example,
satisfies these and several other regulations. In addition, the SOC II Type 2 certification requires
background checks for all employees prior to employment. Data recovery, after all, is the perfect
vocation for identity thieves and other criminals.
The following criterion should be used:
I25B /1B>9>7C &171J9>5 M +5@D5=25B 49D9?>
?@IB978D K I25B 565>C5 &171J9>5 << B978DC B5C5BF54 G?B<4G945
