No More Lost Backup Tapes: Chain of Custody Security Measures

Sending critical backup tapes to a storage facility isn't as simple as placing a package on a truck. Here are four points to consider when you're securing the chain of custody for your backup data.

Data vault companies such as AmeriVault and EVault in Emeryville, Calif., can encrypt your data with, for example, triple-DES encryption technology, then transfer it via the Internet and store the information to disks. Proponents say electronic transfers speed backup and recovery time, ensure that data is saved, and are easily referenced.

But critics say that for most large companies, the amount of data being transmitted via tapes is too much for an Internet connection, and the cost of creating dedicated networks is still too high. Stoddard says limiting such transmissions to highly sensitive information could reduce costs, adding, "We've never had a data loss because somebody unencrypted the data."

That's not to say there aren't risks involved. "Ironically, you removed the whole physical security problem" and replaced it with network security issues that require encryption and secure network connections, says SunGard's Herberger. "Every solution has a downside," he notes.

Trust no one; establish "courtesy audits"

Strategy no. 4

Companies also can't rule out the possibility of an inside job at their own facilities, with a courier or at a third-party storage facility.

That means physical and IT security staff need to know who exactly is handling the sensitive data once it arrives at the storage facility. "The notion that [third-party] employees are above suspicion is kind of silly," says Gary Swindon, chief information security officer at Orlando Regional Healthcare, which has 10,000-plus employees. Companies should perform due diligence on their storage facility to ensure it's doing background checks on its own people, he says.

On the physical security side, companies should also require third-party storage providers to sign a business associate agreement to ensure that they maintain the same level of security over data as the customer, who, in this case, is the business hiring the company to store data. In certain cases, HIPAA regulations require this type of agreement between health-care institutions and third-party data handlers.

When it comes to internal departments, Swindon carries out what are called routine "courtesy audits," a nice way of checking up on employees to make sure they are not violating security policies and know proper data-safety procedures. To cover those employees whose jobs require access to sensitive information, Swindon has deputized about 30 privacy and security liaisons at all levels of the company— from unit nurses to food services employees— who monitor how private information is handled on a daily basis. "We give them a checklist of 10 questions" to ask the employees, Swindon says. Do they know who the security officer is and how to reach him? Are PC passwords posted on sticky notes on workers' monitors? Are papers with sensitive data in the trash? They shouldn't be.