Request Information

Question: Once I've developed a digital data protection policy, how do I ensure all my employees comply with it? To what extent should the policy even rely on employee compliance - what's my alternative?

Answer: If there are opportunities to automate a process, it's in your best interest to do so. We all know you're not going to be able to do that for all processes - that's part of the challenge! For processes that are not centrally managed or automated, hold management training sessions so that everyone understands their specific role and its importance to the company. Kevin Roden is Executive Vice President and Chief Information Officer at Iron Mountain, Inc.

Question: How should my digital documents be stored? How do I choose among the possible media, locations, tracking systems and - most of all - vendors?

Answer: Take a long-term view. Go with the technologies that simplify your ability to effectively manage the records. Pick a vendor who can store, control and archive large numbers of assets safely. Most importantly, choose someone who’s going to be in the marketplace for a long time so your data doesn't simply vanish. Think carefully about “cutting edge” options - you don’t want your digital documents to end up on the 21st Century version of Betamax.

Question: How difficult is it to get data off an unencrypted tape?

Answer: Even if your tapes have been stolen, getting data off of these tapes is not easy. In order to successfully restore data from even an unencrypted tape, one would need to have the following:

• The right make and model of the tape device in which to put the tapes
• The right version of the backup software
• The right operating system to recover the information
• The precise configuration of the system including server name
• If you think about how difficult it is just to recover data on your own, the above process can be a large science project for a person without the right recipe and ingredients. This is not to say that encryption is not necessary; however, when segmenting your data, and making choices, these data recovery challenges are important to keep in mind.

Question: How can a CIO determine which digital data are most at risk for damage or exposure?

Answer: It's not about media or modality. It's about the information contained in these records, which require consistent protection (access control and recoverability) and retention (how long to keep) whether they’re digital or physical. Triage is a first step—you need to identify your high risk records. Records that contain sensitive information include personal data, customer data, intellectual property, proprietary information, trade secrets—you are dealing with records that need to be safely managed for compliance, regulatory or risk purposes.Once you've identified these records, you need to understand the risk factors. Start by focusing on these high risk records. Unfortunately, it's not a "one size fits all" strategy. Often times things like backup tape retention and transaction history inside systems are not kept in synch with record retention. This creates an inconsistency in your environment.

Question: Why are information security issues so broadly discussed today?

Answer: By law, all personal information must be safeguarded. In the event of a data loss, the individuals whose information was breached must be notified. Companies that have specific customer information such as credit card information, names, addresses or Social Security data of consumers are obligated, by law, to protect that data from inappropriate access or deletion, and in many cases, must disclose any potential inappropriate use or access.

Question: Is data encryption appropriate for all of my data?

Answer: Usually it is not appropriate for all data. There are many different kinds of business data that require different levels of classification and, therefore, protection. The important thing is to perform a security assessment to identify the data with the highest exposure risk and develop a plan for encrypting this information.

Question: Can you speak generally on the costs of tape encryption?

Answer: Typically the costs are not prohibitive. There may be server overhead as well as staffing required to support key management and protection. Generally, the cost will be small in comparison to the business risk of having personally identifiable information fall into the wrong hands.