If you handle the personal data of your employees and customers during the course of your business, you must acknowledge that you have a responsibility towards them and must ask yourself the question whether you are fulfilling your responsibilities towards them adequately. Remember, there are a number of legal mandates that require you to ensure that you handle, store and dispose of customer data responsibly and securely and your actions can be questioned under these mandates.
Customer data attracts hackers and fraudsters just like butterflies to a honey pot. The Financial Securities Act (FSA), HIPAA, Sarbanes-Oxley, and other similar acts demand that you make appropriate assessment of the data available with you and the risks involved in the handling of such data from the legal perspective. You are expected to take reasonable care to establish and secure your data repositories and ensure that there are adequate controls in place for countering any financial crime risks that may arise. The counter measures would include physical security, governance, staff recruitment, computing systems, methodology for disposal of data and third party compliance issues.
The problem of security assumes gigantic proportions when data is stored in cloud based backup and restore systems. Businesses using cloud backup for data storage must ensure that their cloud backup vendor has physically secured the remote data center against unauthorized access to data servers. Installation of alarms, CCTV, installing biometric security systems and monitoring visitors to the premises may be some of the rudimentary measures that you may look for while subscribing to a cloud backup service.
Senior managers and data administrators must assess data security risks arising from internal or external sources and institute appropriate policies and procedures for data access from the cloud backup repository. The cloud backup software must facilitate the task of encrypting data before transmission and retaining data in encrypted format in storage. The encryption key must be held securely within the enterprise and must not be accessible to the cloud vendor or unauthorized personnel within the organization. Well documented and implemented security policies and procedures performed in cloud backup systems must help create awareness of security requirements. Automated cloud backup systems must alert the organization if there is an attempted breach or weakness in the security system.
Finally, identified or marked for deletion must be deleted according to a well defined process. Deleted data should be completely erased from the vendor’s active server and any backup servers that may be in operation for disaster recovery purposes.
In other words, security must never be compromised if the business wants to remain legally compliant.