Federal and state government regulations can be a big problem for today's organizations. There are more than 100 such regulations in the U.S. alone, and that number continues to grow. These are in addition to industry-specific mandates. They are all designed to safeguard the confidentiality, integrity, and availability of electronic data from information security breaches. So, what are the consequences if your organization fails to comply? Heavy fines and legal action. In short, it's serious.
Today, more than ever, companies are confronted with a broad array of electronic document issues, including data retention policies and e-discovery during litigation. Failing to comply with rules regarding such electronic data can cost millions of dollars.
For instance in one case, the SEC alleged that defendant failed to produce tens of thousands of emails sought by the SEC in two investigations. The court entered an 8-page consent judgment against defendant. Three of the major points in the judgment were:
Defendant was ordered to pay $15,000,000
Defendant was permanently enjoined from violating Section 17(b) of the Securities Exchange Act of 1934 (requiring a prompt document production, including electronic documents); and
For one year, Defendant, at its own cost, was ordered to hire an independent consultant (acceptable to the SEC) to review and evaluate defendant's policies, procedures, and training in order to comply with the judgment. The independent consultant could make recommendations which must be adopted by Defendant.
Whether it is government agencies, research facilities, banking institutions, credit card processing companies, hospitals or your company's computers - the risk of compromising private information is very high -- especially when when conducting a disaster recovery tests. Since business relies so heavily on technology today, business risk becomes technology dependent. The possibility of litigation is part of business. It has always been a risk of doing business, but because technology and today's business are so intertwined, business risk has a higher threat level. This has prompted many to encrypt workstations and mobile computers in order to protect critical business data
If you have rolled out encryption, how do you maintain your IT service quality when the hard disk drive fails? How do you plan and prepare for a data loss when the user's computer is encrypted? These are all issues that should be considered when putting together a data disaster plan. In addition, data recovery, one of the more common missing elements of a disaster recovery plan, should also be factored in because it can serve as the last ditch solution when all other options have been exhausted.
Data Recovery and Encryption
Business continuity and disaster planning are critical for businesses regardless of their size. Most archive and backup software have key features to restore user files, database stores and point in time snap-shots of users files. Software is becoming more automated so users don't have to manually backup their files. Some computer manufacturers have built-in backup systems that include dedicated hard disk drives for archive storage. Most external USB hard disk drives have some sort of third party software that provides data archiving during a trial time period. Such solutions, while solving the data backup need, create questions regarding how effective the systems are with respect to user data. What are your options when a user's computer has a data disaster and the hard disk drive is fully encrypted?
Most IT security policies require a multi-pronged approach to data security. For example, when setting up a new computer for a user, the IT department will require a BIOS (Basic Input/Output System) password for the system before the computer will start. BIOS password security varies in functionality. Some are computer system specific, meaning that the computer will not start without the proper password. Other BIOS passwords are hard disk drive specific, meaning that the hard drive will not be accessible without the proper password. Some computer BIOS employ one password for access control to the system and the hard disk drive. To add a second level of protection, new IT security policies require full hard disk drive encryption. The most common of full hard disk encryption software operates as a memory resident program. When the computer starts up, the encryption software is loaded before the operating system starts and a pass-phrase or password prompt is required. After a successful login from the user, the software decrypts the hard disk drive sectors in memory, as they are needed. The process is reversed when writing to the hard disk drive. This leaves the hard disk drive in a constant state of encryption. The operating system and program applications function normally, without having to be aware of any encryption software.