By Michael Hall, Chief Information Security Officer
Robust risk management is a must in today’s challenging environment of mounting digital attacks on vital company assets and the regulated data they are entrusted to protect. Most organizations have a dynamic layered security practice, which incorporates multiple security controls to protect this sensitive data. The reputational and financial consequences of lost or corrupted data require it. This white paper addresses an often undetected or unattended internal and contractual risk—data recovery—that appears to be an exception in an otherwise strong-layered security practice.
If a storage device fails, resulting in lost or corrupted digital data, few organizations have the internal resources to recover that data—especially in the case of physical damage or electromechanical failure. The device must be sent to a third-party data recovery vendor. Company-owned devices often hold security-sensitive electronically stored information (ESI), including critical intellectual property (IP), financial databases, accounting files, e-mail exchanges, customer records, PCI, PII and PHI. Most of the data recovery industry does not meet best practice standards to ensure data protection through cybersecurity; therefore, data recovery service providers must be classified as high-risk vendors. If an organization does not perform due diligence before engaging the services of a data recovery vendor, it runs the risk of a data breach that will result in major financial and reputational damage.
When C-level executives and board members have not properly planned for this exception, IT personnel are left on their own to make decisions on how to resolve the problem. Without specific protocols in place to handle the data loss scenario, IT personnel may not be aware of the high-risk issue associated with this process, or understand the critical impact of the data leaving the layered security of the corporate facility and potentially becoming subjected to negligence, fraud or abuse. Such an action could easily cost an organization millions of dollars in fines.
The good news is that changes to internal policies and procedures, combined with contractual changes with third-party businesses handling an organization’s data, will mitigate the risk posed of this exception that has been allowed to fall outside of otherwise robust layered cybersecurity protections:
- Vetting a data recovery vendor should be mentioned in the organization’s business continuity plan, disaster recovery plan or incident response plan.
- Organizations should have policies and guidelines in place for selecting a data recovery service provider.
- The most important practices to include in the policy are presented as a vetting checklist later in this report.
In addition, organizations need to address potential new threats to the security of data during the data recovery process. This includes making sure that if a cloud service provider uses a data recovery service provider, it should be required to notify the organization. While the need to recover data may be time sensitive, it is important that every effort is made to ensure that the organization’s confidential and sensitive data is protected during the recovery process.
This paper provides a roadmap for mitigating the potential risk of using third-party data recovery providers. The solution to this high impact risk requires policy and procedural changes only and is low in cost. It insures that the confidentiality, integrity and availability of the organization’s sensitive information are maintained during the data recovery process.
2016–2017 Data Breach Statistics
Data breaches may originate from malicious attacks, ranging from data-stealing malware to social engineering, system glitches or simple human negligence. A data breach can occur through internal security flaws, through a third party vendor or dupply channel vendor.
In a June 2017 study, the Ponemon Institute interviewed 63 U.S. organizations who had experienced a data breach within the previous 12 months. More than half of these data breaches were caused by malicious or criminal attacks, both by hackers and criminal insiders.
According to the Ponemon Institute, the average cost of a data breach in the United States during this period of time was $225 per record, averaging $7.35 million total organizational cost per breach. These costs were even higher for healthcare and financial institutions. In addition, the more records that were lost, the higher the cost of the data breach.
Costs associated with a data breach, which should be considered when developing a cybersecurity plan, include the following:
- The unexpected and unplanned loss of customers following a data breach. Programs that preserve customer trust and loyalty in advance of the breach will help reduce the number of lost business/customers.
- Diminished acquisition of new customers due to negative publicity and deteriorated company reputation.
- The size of the breach or the number of records lost or stolen. It makes sense that the more records lost, the higher the cost of data breach.
- The time it takes to identify and contain a data breach. The faster the data breach can be identified and contained, the lower the costs. Disruptive technologies, access to cloud-based applications and data as well as the use of mobile devices (including BYOD and mobile apps) increase the complexity of dealing with IT security risks and data breaches.
- The detection and escalation of the data breach incident. Detection and escalation costs include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors.
- Post data breach costs, including the cost to notify victims. These costs include help desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions, including fines associated with data security compliance inefficiencies.
Security Standards and Protocols for Data Recovery
Governments around the globe are demanding that organizations monitor and take responsibility for the security of regulated data and the actions of their third party vendors handling that data. Examples of published standards, best practices, reasonable practices and regulations include SOX, GLBA, PCI, PII, HIPAA, FERPA and guidelines and directives from FDIC, FFIEC and the FCPA.
However, only a few specifically deal with data recovery vendors. Two examples are listed here: the first from the National Institute of Standards and Technology (NIST) and the latter from the Shared Assessments Groups.
NIST SP#800.34 Rev. 1-Section 5.1.3, Paragraph #5 reads as follows:
“Organizations may use third-party vendors to recover data from failed storage devices. Organizations should consider the security risk of having their data handled by an outside company and ensure that proper security vetting of the service provider is conducted before turning over equipment. The service provider and employees should sign non-disclosure agreements, be properly bonded, and adhere to organization-specific security policies.”
Shared Assessments Group -SIG Risk Assessment Tool -Version 6 -Section G. Communications and Operations Management Section reads as follows:
G.4 Do third-party vendors (backup vendors, service providers, equipment support maintenance, software maintenance vendors, data recovery vendors, etc.) have access to scoped systems and data? If so, is there:
G.4.1 security review prior to engaging in their services (logical, physical, other corporate controls);
G.4.2 security review at least annually, on an ongoing basis;
G.4.3 risk assessment or review;
G.4.4 confidentiality and/or Non-Disclosure Agreement requirements; and
G.4.5 requirement to notify of changes that might affect services rendered?
SSAE 18 SOC 2 Type II
Compliance with auditing standards, such as the Statement on Standards for Attestation Engagements (SSAE) and Service Organization Control (SOC), assures that every aspect of the facility and network is secure and will protect personal and confidential data from being compromised.
Certified, control-oriented professionals, who have experience in accounting, auditing and information security, conduct an audit of a service provider’s data hosting control objectives, activities and related processes measured over a period of time (typically 6-12 months). The audit focuses on identifying and validating control standards that are deemed most critical to existing and prospective clients of the service provider, and it covers all aspects of security in the facility; both network and physical.
Since the introduction of the 2002 Sarbanes Oxley Act (Section 404) following the Enron debacle, the SSAE SOC audit has become the Corporate Industry Standard for an overall control structure. While a SOC Type I audit verifies the “description” of controls and safeguards that a service organization claims to have in place, the SOC Type II audit verifies that all data hosting controls and objectives are actually in place, suitably designed, enforced, and operating effectively to achieve all desired security control objectives.
The American Institute of Certified Public Accountants (AICPA) recently enacted updated attestation standards for SOC 1 and 2. As of May 1, 2017, all service organizations who wish to certify as maintaining security measures compliant with these protocols must pass Statement on Standards for Attestation Engagements (SSAE) No. 18, otherwise known as SSAE 18, rather than the previous standard, SSAE 16.
The new standards are meant to converge the varying degrees of compliance standards that previously existed and bring all U.S. standards up to international standards of compliance. New requirements by these regulations include regular risk assessment and detailed reporting of the security practices of third-party services used by a company.
|SSAE 16||SSAE 18||SOC I||SOC II|
|Previous protocol did not address company risk assessment or consider security of third-party services used by a company||New protocol requires regular risk assessment and detailed reporting of security practices by third-party services used by a company||Review of company documentation; verifies documentation of security protocols||Review of company security systems in place; physical on-site review of security protocols|
General Data Protection Regulation (GDPR) for the European Union (EU)
Organizations based in the EU that handle data from customers are preparing to comply with a new General Data Protection Regulation (GDPR), which goes into effect May 25, 2018. The regulation is designed to ensure the security and confidentiality of personal data.
The GDPR not only applies to organizations located within the EU but will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
According to the GDPR, organizations must:
- Only process data for authorized purposes
- Ensure data accuracy and integrity
- Minimize subjects’ identity exposure
- Implement data security measures
Points to Consider:
Before engaging the services of a third-party data recovery vendor, organizations must improve their due diligence in order to mitigate the risk of a data breach. Here are some questions to consider:
- How does your organization measure the security, reliability and expertise of third-party data recovery services?
- With respect to the protection of sensitive or confidential data during data recovery, how would you rate your company’s vetting process for selecting a secure third-party data recovery service provider?
- Does your organization conduct a risk assessment of third-party data recovery services before selecting them?
Data recovery service providers still play a large role in the organization’s information life cycle, as the number and complexity of devices increase to facilitate the flow of information. Board members and C-level executives, in conjunction with senior IT directors, must work together to close the policy and security gap posed by the organization’s need to engage third-party data recovery service providers. The policy must address the internal guidelines and procedures first and then push them down through contractual modifications to all third- party vendors who handle the corporation’s sensitive data.
DriveSavers is the worldwide leader in data recovery, with a solid reputation built on outstanding customer service, consistently high success rates, and the fastest Standard Service turnaround time in the business.
For over 30 years, DriveSavers has performed data recovery on every kind of storage device including hard disk drives (HDDs), solid-state drives (SSDs), smartphones such as iPhone and android phone, tablets, USB flash drives, camera cards and enterprise-level devices like RAIDs.
The company handles every kind of data loss situation including mechanical failure, physical, water and fire damage, data corruption, file deletions, head crashes and more.
DriveSavers conducts all HDD data recoveries inside a Certified ISO Class 5 Cleanroom that is dust-free and static-free—the most technologically advanced data recovery cleanroom in the industry. DriveSavers data recovery engineers have undergone extensive training in all leading encryption software vendors.
The only data recovery service provider in the world that has received SASE 18 SOC 2 Type II certification, DriveSavers provides customers with the highest degree of security available in the data recovery industry today.
You can view all DriveSavers authorizations and certifications on our website, at www.drivesavers.com/proof.
About the Author
Michael Hall, CISO at DriveSavers, Inc. is in charge of data security, developing protocols to handle critical and encrypted data for corporations and government agencies. With 23 years experience in data recovery technology, focusing on high-end arrays, he has successfully recovered data from over 17,000 storage devices.