Craft an effective storage security policy

Effective storage security involves maintaining the confidentiality, integrity, and availability of information, and your storage security policy needs to reflect that. Not sure where to begin? In this edition of Security Solutions, Mike Mullins offers guidelines for creating an effective storage security policy and tells you three elements you can't afford to ignore.

Recent regulations such as the Sarbanes-Oxley Act have
brought storage solutions to the forefront for many organizations. As such,
most businesses have discovered a new-found need for a centralized storage
solution—if they didn’t have one already.

However, many organizations make the mistake of jumping into
such an implementation out of need and neglect to perform the proper planning.
Case in point: Few companies establish a policy that addresses storage
security—and storage security is something most organizations can’t afford to
ignore.

We’ve all read the news stories of organizations whose lack
of storage security policy played a roll in their downfall. Internal documents
and e-mails are often part of the evidence used to convict—or, in the rare
occasion, exonerate—officers of the company.

How do you keep your company out of the courtroom? Make sure
you create an effective storage security policy, one that addresses both data
retention and data
destruction—and everything in-between. When crafting your storage security
policy, it’s important to consider the three major elements of any policy:
technology, processes, and people.

Find the right technology

First, your storage security policy should address the
technology your organization will use to store data. Plenty of technology is available
for secure storage solutions, and these days it’s relatively inexpensive.

Using a storage area network (SAN), you can house terabytes
of data and keep it readily available. In addition, there’s a wide variety of
encryption technologies available to make sure that data remains secure during both
storage and transport between users.

Document management systems make it easy and convenient to
archive and retrieve all of your organization’s data. And using effective
lifecycle management, you can store that data indefinitely.

However, keep in mind that the length of retention is one of
the most heavily regulated areas of records management. It’s not enough to just
define how your organization will store data—you also need to examine the
processes that govern the information you’re planning to store.

Define the necessary processes

Storage retention periods are typically the largest gray
area in any storage policy—and the biggest challenge. That’s why you need to do
your homework when creating your storage security policy.

Make sure you adequately research the laws that govern your organization,
which can help you classify documents and communications—specifically e-mail—by
their retention date. This might mean making several trips to the company’s legal
department or even hiring a lawyer that specializes in your area of business.

The important thing is to find the information you need to
develop retention classification for your data. When it comes to compliance, this
is an often overlooked or misunderstood area—and the consequences can be
devastating in the courtroom.

Once you’ve figured out how long you need to store
data, you can use that information to assess your current storage needs and
plan properly for growth. After you’ve considered the technology and the
processes, you’re still not ready to create a storage security policy—not
without considering the people who will use this policy.

Remember the people

Writing a policy without considering its effects on users is
a recipe for disaster. If you fail to address—and account for—how users accomplish
their day-to-day tasks, you can forget about expecting employees to actually
follow the policy.

A policy should never overcomplicate daily tasks by
introducing complex procedures that most people will try to bypass in order to do
their jobs. Remember: Technology and laws can change must faster than people
can adapt.

However, if your storage security policy must include changes
in the way people store and use information, then it’s paramount that you
introduce these changes through appropriate training. To help adoption, make
sure you explain why the change is necessary, and communicate how it benefits both
users and the company as a whole. Properly educating end users can help make
sure the policy becomes a daily operating procedure—and not a dusty tomb sitting
forgotten on the bookshelves.

Final thoughts

Effective storage security involves maintaining the
confidentiality, integrity, and availability of information, and your storage
security policy needs to reflect that. Don’t write a security policy in a
vacuum. Considering the available technology, the processes that govern the
policy, and the users who help implement the policy is the recipe for success.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE These guidelines from TechRepublic Premium will help you define the necessary ingredients of a security policy and assist in its proper construction. They’re designed to work hand in hand with the subjective knowledge you have of your company, environment and employees. Using this information, your business can establish new policies or elaborate on those ...

PURPOSE Recruiting an Artificial Intelligence Architect with the right combination of technical expertise and experience will require a comprehensive screening process. This Hiring Kit from TechRepublic Premium provides an adjustable framework your business can use to find, recruit and ultimately hire the right person for the job. From the hiring kit: DETERMINING FACTORS, DESIRABLE PERSONALITY ...

Craft an effective storage security policy