|
|
Several government
regulations have emerged in recent years on privacy and security issues designed
to safeguard consumer information and prevent corporate abuses. This legislation
is having a strong impact on storage system design and administration.
The laws are complex and sometimes intentionally vague to allow for
new technology developments. Some of the regulations demand stiff fines and jail
time for offending executives. CEOs and Board members are turning to storage
managers, therefore, to secure an ever growing silo of consumer information and
corporate documents. This article gives an overview of the regulations and
describes the challenges facing the storage industry and storage managers.
Some of the more important regulations that have gone into effect
recently are:
- Health Information Portability and Accountability Act (HIPAA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Gramm-Leach-Bliley Act (GLBA)
- California Senate Bill 1386
- Sarbanes-Oxley Act (SBA)
- SEC Rule 17a
Health Information Portability and Accountability Act (HIPAA)
This legislation improves health care by putting medical records
online, while also protecting patient privacy. Originally enacted in 1996, the
privacy regulations are in effect now, and security regulation enforcement
begins in 2005.
Requirements
The privacy requirements concern non-disclosure of individually
identifiable patient information, either by name, address, relative's names,
etc. Security regulations specify the administrative standards must cover:
- Individual user authentication
- Access controls
- Audit trails
- Physical security and disaster recovery
- Protection of remote access points (for example, every PC in the hospital)
- Secure external electronic communications
- Software discipline
- System assessment
Medical emergencies demand fast response to online queries. The law
does not specify the storage technology but makes it clear that organizations of
all sizes must do whatever it takes to secure private information. Although data
encryption was in the proposed security regulations, it was dropped from the
final version. Hospitals must store patient's medical records from birth to age
21, and then can reduce the data retention to 5 years. The complete data
retention requirements are:
- Medical Records
- Child records - birth to 21 years of age
- Adult records 5 years, continuing until 2 years after death
- Records of information disclosures - 6 years
- Compliance standards, implementations, policies, procedures - 6 years
Implications
The need for fast response to queries in medical diagnostic and
insurance can today only be met by magnetic storage rather than tape or optical
disk. A disaster that destroys or corrupts all of a hospital's online records
puts patients into immediate danger and could close down the business. A
geographically separated, secondary synchronized data center should be
considered. Data encryption at the source is probably the best way to protect
the privacy of patients.
Personal Information Protection and Electronic Documents Act
Enacted by the Canadian government in 2000 and in full effect in 2004,
this act is unique because it follows a national privacy standard: the Canadian
Standards Association (CSA) Model Code for the Protection of Personal
Information. The act covers personal privacy, electronic documents and
electronic signatures, and applies to all personal information collected, used
or disclosed in commercial activity. Courts can order offending companies to
change their methods, and victims of unauthorized disclosure can sue for damages
and humiliation.
Requirements
The organization must obtain the
individual's consent before disclosing personal information to any third party.
Well-planned and documented privacy policies must be known and followed within
the company. The act requires "personal information shall be protected by
security safeguards appropriate to the sensitivity of the information."
Corresponding layers of security go up to and including data encryption at the
source. Data must be retrievable on demand by customer or law enforcement, and
retained only as long as required by law.
Electronic documents must be stored in the original format, or at
least in a format that does not change the information. (Encryption is allowed.)
The retrieved information must be readable or understandable by any authorized
person. The document must retain information about points of origin,
destinations, dates and times.
Implications
Storage managers must work closely with operations managers to
thoroughly understand the classes of information and must determine the
appropriate levels of security and zoning criteria. Encryption on the disk is
encouraged, and encryption at the source may be justified. For fast Web-based
secure applications, encryption appliances might improve response time. Storage
managers must work with Legal departments to determine data retention periods
defined under various laws. Destroying bad disks and old equipment is also
important, as the Bank of Montreal found out after old computers containing
hundreds of confidential customer files went up for auction on eBay.
Gramm-Leach-Bliley Financial Services Modernization Act (GLBA)
Enacted by the U.S. Federal government in 1999, this act applies to a
wide range of financial, credit, insurance and many more types of money-handling
institutions. It prohibits disclosing customer information to non-affiliated
third-party organizations and protects the integrity of the information. The
federal agencies have published the "Interagency Guidelines Establishing
Standards for Safeguarding Customer Information (12 CFR)" to assist
executives in developing security standards.
Requirements
Company executives must:
|
| 1 |
Participate in company-wide
risk assessment
|
| 2 |
Manage risk, including
implementing some or all of the following, as appropriate to the particular
institution. The law recognizes not all may apply to some cases.
- Data access controls
- Physical access controls
- Encryption while in transit on networks or at rest in storage, or both
- Monitor system modifications to assure security
- Dual control procedures (two authorized persons needed to access),
segregation of duties, and employee background checks
- Monitoring systems to detect actual or attempted attacks or intrusions into
the system
- Response procedures to be taken after an actual or attempted attack or
intrusion · Protection against environmental hazards or technological
failures
|
| 3 |
Train the staff in security
procedures |
| 4 |
Regularly test security systems |
| 5 |
Maintain vigilance against
future methods of attack or intrusion |
| 6 |
Oversee third-party providers to assure security | |
Implications
Implementing all of these methods, although not necessarily required,
would put a strong, safe storage system in place. Storage managers will be
called upon for risk assessment and standards.
California Senate
Bill 1386
"1386" went into effect in July 2003 and applies to
companies doing business in California and all companies holding personal
information of California residents. The intent is that anyone whose personal
information may have been disclosed to unauthorized persons can quickly begin
taking countermeasures against identity theft, misuse of information, etc.
Victims can bring civil suit for damages.
Requirements
The organization must disclose, in specified ways, any security breach
in which an unauthorized person might have acquired unencrypted personal
information. The law states "…"personal information" means
an individual's first name or first initial and last name in combination with
any one or more of the following data elements, when either the name or the data
elements are not encrypted:
- Social security number.
- Driver's license number or California Identification Card number.
- Account number, credit or debit card number, in combination with any
required security code, access code, or password that would permit access to an
individual's financial account."
Implications
There is no definition of the level of encryption, but this clearly
implies encryption at the source. The company must have procedures to identify
and contact persons affected, therefore storage managers need to be able to
determine the boundaries of the compromised area.
Sarbanes-Oxley
Act (SOA, Sox)
Enacted by the US Federal Government in 2002 in response to corporate
financial scandals, this act applies to all publicly held companies in the U.S.
that have more than $75 million equity market capitalization and that report
quarterly to the Securities and Exchange Commission (SEC). It covers financial
reporting to the SEC, auditing practices and associated document retention. By
holding CEOs and CFOs directly responsible for the accuracy of financial
reports, this act has had a major effect on U.S. corporations and has already
sent one executive to jail.
The intent is to preserve all records of business dealings and
financial audits for long enough to allow detailed investigations of
questionable business activities.
Requirements
The company must save all documentation used to create financial
reports and audits. Sarbanes-Oxley defines documentation as:
- "Relevant records such as workpapers
- Documents that form the basis of an audit or review
- Memoranda
- Correspondence
- Communications
- Other documents
- Records (including electronic records) which are created, sent, or received
in connection with an audit or review and contain conclusions, opinions,
analyses, or financial data relating to such an audit or review"
The law requires risk assessment, either across the entire company, or
by a summation of narrower risk assessments on individual transactions and
operations within the company. Storage risk assessment is part of the overall
requirement.
The document retention period is 7 years and recovery time is limited
to a very few days following a federal request. Because of the legal importance
of these documents, Write-Once-Read-Many (WORM) magnetic disk storage should be
considered. Security is vital to protect against malicious use of this gold mine
of company information.
Implications
The storage manager should meet with operations managers to determine
what documents of these types exist in the company and the magnitude of the
storage required, as well as to arrange for automatic collection and routing to
secure storage.
A document management system that precisely identifies, queries, and
retrieves sets of documents is necessary to quickly respond to requests from
federal agencies and to maintain operational requirements. Secure,
geographically separated secondary storage on magnetic disk would provide
disaster recovery while maintaining document recovery time.
SEC Rule 17a
The SEC has expanded Rule 17a that covers exchange member and
brokerage house record keeping. Rule 17a now includes all forms of internal and
external electronic communication, such as e-mails, instant messages, order
tickets, approvals and more. There seems to be nothing in writing from the SEC
that extends e-mail and IM retention to companies covered under Sarbanes-Oxley,
but some experts advise all Sarbanes-Oxley companies to observe the electronic
message requirements of Rule 17a. The major U.S. stock exchanges have
established standards based on this rule.
Requirements
Brokerage houses have always had to quickly and accurately verify
records of a large volume of trading orders. This act is explicit in the demand
for "non-rewritable, non-erasable" storage of all documents. This
makes WORM storage mandatory. Each document must be stored in duplicate, with
time stamps and showing the origin and destination. Duplicates must be kept
off-site. Data retention is for 6 years, with the first 2 years in fast storage.
The company must "immediately" provide a copy of any document upon SEC
request.
Implications
The effect is to mandate WORM magnetic disk, at least for the first 2
years, and an excellent document retrieval system. The fast retrieval time and
off-site backup requirements imply a separate, synchronized storage center. If
the brokerage or trading house is also covered by Sarbanes-Oxley, storage design
must target the most demanding requirements of both Sarbanes-Oxley and SEC 17a.
Summary
We see common requirements in many of these regulations.
Administrative work for developing and implementing storage standards is rising.
Encryption, WORM storage, synchronized alternate storage, and indexed document
retrieval are becoming standard. These laws reflect the best practices of the
storage industry at the time they were drafted, and they raise the general
standards of data security and integrity. The volume of information in secured
storage will continue to rise. The storage manager must work more closely with
operations managers to minimize the volume by eliminating redundant occurrences
of personal data items on multiple forms and records. Storage managers need to
continue educating themselves in the next waves of technologies to keep their
companies ahead of the growing legislative demands.
...ASNP profile |
|
| |
 |
NAS on
STORAGEsearch.com |
| "The
storage network is the computer" said Megabyte, misquoting something he'd
heard in the sunny days of his youth... | |
|
|
|
|
|
|
. |
 |
Learn How
to Trust Your Storage Drives - article by the Trusted Computing Group
H
ow much can you trust the security of data on your storage drives?
Snugly nestling in a RAID
system in your datacenter - maybe. Now what about when those self same
drives are in some one else's mitts - because they've been replaced, sold or
stolen?
The Trusted Computing Group has been working with
storage manufacturers
and other industry trade bodies
to create a standard model and framework for extending security into the storage
drive - using extensions of the
SCSI and ATA command sets
- and by extending the features originally designed for internal error logging.
Although at an early stage, readers may be interested in reading and commenting
(to TCG) on the draft document - which is published here as part of their
market liaison exercise. ...read the article,
...Trusted Computing Group
profile, Storage
Security, disk
sanitizers | |
. |
|
|
. |
|
|
. |
|
|
. |
 |
Disklabs Computer
Forensics Experts
at Disklabs are able to retrieve incriminating
evidence (or prove innocence) to prosecution
and defence clients.
Disklabs can provide full
email analysis, RAID forensics, mobile phone
and server forensics.
| |
. |
 |
Sanitization
Methods for Cleaning Up Hard Disk Drives - article by Intelligent Computer
Solutions
Removing the data on old unwanted disk drives has
become a concern for all users.
In 2005
Pointsec found that
they were able to read 7 out of 10 hard-drives bought over the Internet
at auctions such as eBay, for less than the cost of a McDonald's meal, all of
which had "supposedly" been "wiped-clean" or "re-formatted".
This article reviews the various methods available to sanitize hard disks along
with the advantages and disadvantages in each case....read the article,
...Intelligent Computer
Solutions profile,
disk sanitizers | |
. |
 |
the Impact
of Compliance on Archival Storage Strategies - article by Plasmon
It's
difficult enough protecting and archiving your data so that it's available to
the right people at the right time (and cost). But now that's only part of the
problem. With so many new rules and regulations which prescribe how you should
destroy data records at the appropriate time - how do you guarantee that they
stay deleted?
Archiving data on the wrong kind of media could mean you
run the risk of breaking the law. Advances in the
data recovery
industry, and the future cohabitation of storage search-engines both mean that
Compliance Officers have to pay much more attention to the ways in which data is
dispersed and disposed of in different types of media.
This article
summarizes the strengths and weaknesses of currently available market
technologies. ...
read the article,
...Plasmon profile,
Optical Libraries | | |
