Recent regulations such as the Sarbanes-Oxley Act have
brought storage solutions to the forefront for many organizations. As such,
most businesses have discovered a new-found need for a centralized storage
solution—if they didn’t have one already.

However, many organizations make the mistake of jumping into
such an implementation out of need and neglect to perform the proper planning.
Case in point: Few companies establish a policy that addresses storage
security—and storage security is something most organizations can’t afford to

We’ve all read the news stories of organizations whose lack
of storage security policy played a roll in their downfall. Internal documents
and e-mails are often part of the evidence used to convict—or, in the rare
occasion, exonerate—officers of the company.

How do you keep your company out of the courtroom? Make sure
you create an effective storage security policy, one that addresses both data
retention and data
—and everything in-between. When crafting your storage security
policy, it’s important to consider the three major elements of any policy:
technology, processes, and people.

Find the right technology

First, your storage security policy should address the
technology your organization will use to store data. Plenty of technology is available
for secure storage solutions, and these days it’s relatively inexpensive.

Using a storage area network (SAN), you can house terabytes
of data and keep it readily available. In addition, there’s a wide variety of
encryption technologies available to make sure that data remains secure during both
storage and transport between users.

Document management systems make it easy and convenient to
archive and retrieve all of your organization’s data. And using effective
lifecycle management, you can store that data indefinitely.

However, keep in mind that the length of retention is one of
the most heavily regulated areas of records management. It’s not enough to just
define how your organization will store data—you also need to examine the
processes that govern the information you’re planning to store.

Define the necessary processes

Storage retention periods are typically the largest gray
area in any storage policy—and the biggest challenge. That’s why you need to do
your homework when creating your storage security policy.

Make sure you adequately research the laws that govern your organization,
which can help you classify documents and communications—specifically e-mail—by
their retention date. This might mean making several trips to the company’s legal
department or even hiring a lawyer that specializes in your area of business.

The important thing is to find the information you need to
develop retention classification for your data. When it comes to compliance, this
is an often overlooked or misunderstood area—and the consequences can be
devastating in the courtroom.

Once you’ve figured out how long you need to store
data, you can use that information to assess your current storage needs and
plan properly for growth. After you’ve considered the technology and the
processes, you’re still not ready to create a storage security policy—not
without considering the people who will use this policy.

Remember the people

Writing a policy without considering its effects on users is
a recipe for disaster. If you fail to address—and account for—how users accomplish
their day-to-day tasks, you can forget about expecting employees to actually
follow the policy.

A policy should never overcomplicate daily tasks by
introducing complex procedures that most people will try to bypass in order to do
their jobs. Remember: Technology and laws can change must faster than people
can adapt.

However, if your storage security policy must include changes
in the way people store and use information, then it’s paramount that you
introduce these changes through appropriate training. To help adoption, make
sure you explain why the change is necessary, and communicate how it benefits both
users and the company as a whole. Properly educating end users can help make
sure the policy becomes a daily operating procedure—and not a dusty tomb sitting
forgotten on the bookshelves.

Final thoughts

Effective storage security involves maintaining the
confidentiality, integrity, and availability of information, and your storage
security policy needs to reflect that. Don’t write a security policy in a
vacuum. Considering the available technology, the processes that govern the
policy, and the users who help implement the policy is the recipe for success.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter
, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security