|
|
|
|
Privacy and Security Regulations, and How they Impact Storage Systems
Article by - Robb Dennis Association of Storage Networking Professionals - February 18, 2005| Editor's intro:- What are the legal regulations covering the type of storage system, backup and disaster recovery and encryption mandated for companies operating in the US? This article answers those questions and is a sound starting point for anyone having the duty of care and responsibility for their corporate data. Because regulations change so quickly it's worth considering the impact of these best practises on your own organisation even if you think you are currently outside the scope of these laws. That will reduce the level of panic when they creep up on you. | ||||||||||||
| Privacy and Security Regulations, and How they Impact Storage Systems | ||||||||||||
| Several government
regulations have emerged in recent years on privacy and security issues designed
to safeguard consumer information and prevent corporate abuses. This legislation
is having a strong impact on storage system design and administration.
The laws are complex and sometimes intentionally vague to allow for new technology developments. Some of the regulations demand stiff fines and jail time for offending executives. CEOs and Board members are turning to storage managers, therefore, to secure an ever growing silo of consumer information and corporate documents. This article gives an overview of the regulations and describes the challenges facing the storage industry and storage managers. Some of the more important regulations that have gone into effect recently are:
This legislation improves health care by putting medical records online, while also protecting patient privacy. Originally enacted in 1996, the privacy regulations are in effect now, and security regulation enforcement begins in 2005. Requirements The privacy requirements concern non-disclosure of individually identifiable patient information, either by name, address, relative's names, etc. Security regulations specify the administrative standards must cover:
The need for fast response to queries in medical diagnostic and insurance can today only be met by magnetic storage rather than tape or optical disk. A disaster that destroys or corrupts all of a hospital's online records puts patients into immediate danger and could close down the business. A geographically separated, secondary synchronized data center should be considered. Data encryption at the source is probably the best way to protect the privacy of patients. Personal Information Protection and Electronic Documents Act Enacted by the Canadian government in 2000 and in full effect in 2004, this act is unique because it follows a national privacy standard: the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information. The act covers personal privacy, electronic documents and electronic signatures, and applies to all personal information collected, used or disclosed in commercial activity. Courts can order offending companies to change their methods, and victims of unauthorized disclosure can sue for damages and humiliation. Requirements The organization must obtain the individual's consent before disclosing personal information to any third party. Well-planned and documented privacy policies must be known and followed within the company. The act requires "personal information shall be protected by security safeguards appropriate to the sensitivity of the information." Corresponding layers of security go up to and including data encryption at the source. Data must be retrievable on demand by customer or law enforcement, and retained only as long as required by law. Electronic documents must be stored in the original format, or at least in a format that does not change the information. (Encryption is allowed.) The retrieved information must be readable or understandable by any authorized person. The document must retain information about points of origin, destinations, dates and times. Implications Storage managers must work closely with operations managers to thoroughly understand the classes of information and must determine the appropriate levels of security and zoning criteria. Encryption on the disk is encouraged, and encryption at the source may be justified. For fast Web-based secure applications, encryption appliances might improve response time. Storage managers must work with Legal departments to determine data retention periods defined under various laws. Destroying bad disks and old equipment is also important, as the Bank of Montreal found out after old computers containing hundreds of confidential customer files went up for auction on eBay. Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) Enacted by the U.S. Federal government in 1999, this act applies to a wide range of financial, credit, insurance and many more types of money-handling institutions. It prohibits disclosing customer information to non-affiliated third-party organizations and protects the integrity of the information. The federal agencies have published the "Interagency Guidelines Establishing Standards for Safeguarding Customer Information (12 CFR)" to assist executives in developing security standards. Requirements Company executives must: | ||||||||||||
| ||||||||||||
| Implications
Implementing all of these methods, although not necessarily required, would put a strong, safe storage system in place. Storage managers will be called upon for risk assessment and standards. California Senate Bill 1386 "1386" went into effect in July 2003 and applies to companies doing business in California and all companies holding personal information of California residents. The intent is that anyone whose personal information may have been disclosed to unauthorized persons can quickly begin taking countermeasures against identity theft, misuse of information, etc. Victims can bring civil suit for damages. Requirements The organization must disclose, in specified ways, any security breach in which an unauthorized person might have acquired unencrypted personal information. The law states "…"personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
There is no definition of the level of encryption, but this clearly implies encryption at the source. The company must have procedures to identify and contact persons affected, therefore storage managers need to be able to determine the boundaries of the compromised area. Sarbanes-Oxley Act (SOA, Sox) Enacted by the US Federal Government in 2002 in response to corporate financial scandals, this act applies to all publicly held companies in the U.S. that have more than $75 million equity market capitalization and that report quarterly to the Securities and Exchange Commission (SEC). It covers financial reporting to the SEC, auditing practices and associated document retention. By holding CEOs and CFOs directly responsible for the accuracy of financial reports, this act has had a major effect on U.S. corporations and has already sent one executive to jail. The intent is to preserve all records of business dealings and financial audits for long enough to allow detailed investigations of questionable business activities. Requirements The company must save all documentation used to create financial reports and audits. Sarbanes-Oxley defines documentation as:
The document retention period is 7 years and recovery time is limited to a very few days following a federal request. Because of the legal importance of these documents, Write-Once-Read-Many (WORM) magnetic disk storage should be considered. Security is vital to protect against malicious use of this gold mine of company information. Implications The storage manager should meet with operations managers to determine what documents of these types exist in the company and the magnitude of the storage required, as well as to arrange for automatic collection and routing to secure storage. A document management system that precisely identifies, queries, and retrieves sets of documents is necessary to quickly respond to requests from federal agencies and to maintain operational requirements. Secure, geographically separated secondary storage on magnetic disk would provide disaster recovery while maintaining document recovery time. SEC Rule 17a The SEC has expanded Rule 17a that covers exchange member and brokerage house record keeping. Rule 17a now includes all forms of internal and external electronic communication, such as e-mails, instant messages, order tickets, approvals and more. There seems to be nothing in writing from the SEC that extends e-mail and IM retention to companies covered under Sarbanes-Oxley, but some experts advise all Sarbanes-Oxley companies to observe the electronic message requirements of Rule 17a. The major U.S. stock exchanges have established standards based on this rule. Requirements Brokerage houses have always had to quickly and accurately verify records of a large volume of trading orders. This act is explicit in the demand for "non-rewritable, non-erasable" storage of all documents. This makes WORM storage mandatory. Each document must be stored in duplicate, with time stamps and showing the origin and destination. Duplicates must be kept off-site. Data retention is for 6 years, with the first 2 years in fast storage. The company must "immediately" provide a copy of any document upon SEC request. Implications The effect is to mandate WORM magnetic disk, at least for the first 2 years, and an excellent document retrieval system. The fast retrieval time and off-site backup requirements imply a separate, synchronized storage center. If the brokerage or trading house is also covered by Sarbanes-Oxley, storage design must target the most demanding requirements of both Sarbanes-Oxley and SEC 17a. Summary We see common requirements in many of these regulations. Administrative work for developing and implementing storage standards is rising. Encryption, WORM storage, synchronized alternate storage, and indexed document retrieval are becoming standard. These laws reflect the best practices of the storage industry at the time they were drafted, and they raise the general standards of data security and integrity. The volume of information in secured storage will continue to rise. The storage manager must work more closely with operations managers to minimize the volume by eliminating redundant occurrences of personal data items on multiple forms and records. Storage managers need to continue educating themselves in the next waves of technologies to keep their companies ahead of the growing legislative demands. ...ASNP profile | ||||||||||||
| ......................................................................................................................... |
 | |||
| |||
| . | |||
| Disk sanitizers Fast Purge SSDs this way to the Petabyte SSD Milestones in Disk to Disk Backup the Solid State Disks Buyers Guide the Dangers of Removable Storage Media Data Integrity Challenges in flash SSD Design notebook SSD encryption - performance & recoverability he Impact of Compliance and Risk Management on Archival Storage Strategies | |||
| . | |||
|
| |||
| . | |||
|
