At Sun Microsystems, tapes are created at seven datacenters around the world. While each center manages its own data-retention processes, "they don't get to make up all their own rules," says Leslie Lambert, Sun's chief information security officer. So where do the rules, policies and procedures come from? "We have a very vigilant legal team, a privacy team, a business conduct team, internal auditors, external auditors, and an information protection law group -- all working together," she says.
Leach says keeping up with state and federal regulations on data protection and retention demands human expertise, but it's such a daunting task that he gets automated help via risk and compliance management software from Relational Security.
Myth 3: Losing a tape is primarily a security problem.
It can be a security disaster, to be sure, and it will certainly be a PR nightmare if the public finds out. But there are other equally harmful, if less dramatic, possibilities.
"I don't think so much about losing employee information [such as Social Security numbers], although that is certainly important," says Brian Lurie, IT vice president at medical products maker Stryker Corp. "What keeps me up nights is the possibility of losing a tape and then having to produce data for the FDA for a lawsuit. I worry about liability to the company from losing information that we, by law, must retain."
While the law requires that some information be kept for seven years, Stryker must retain data on customers who have Stryker products in their bodies for as long as they live, Lurie says. Although the company mirrors its disks at a remote disaster recovery center, after a certain amount of time, some data will exist only on tape transported and stored remotely by Iron Mountain.
Lurie periodically sends auditors to Iron Mountain's facility to inventory Stryker's tapes. He says regular audits are part of a three-part tape-protection program that also includes carefully crafted contracts and working with a reputable tape-storage vendor.
Experts say thefts of tapes followed by illegal usage are so rare as to be almost a nonissue. Loss of tapes through simple human error, causing processing disruptions down the line, is by far the most common problem.
Myth 4: There are no technology solutions; it's all about tight controls.
Procedures and controls that are well thought out, automated where possible and tested are the best way to limit losses from wayward tapes and laptops, experts say. But technology can be a big help.
The primary tool remains data encryption. While the technology doesn't address Lurie's concerns about lawsuits over unrecoverable data, it's nice to be able to tell lawyers, reporters and the police that the bad guys can't do much with that laptop because the hard disk is encrypted, or with those tapes because they are unreadable.
All employee desktops and laptops at ACS are required to be "whole-disk encrypted," Leach says. "Once the disk is encrypted, we monitor it and track it, and if you try to decrypt your hard drive, we know it and we notify your manager."