Security Views Case Study #2 - Off-site backups are STILL live data
This breach occurred as a result of a state intern taking a backup tape home from the office, and having his car broken into (click HERE). Initially, it was thought that the tape contained private records of 64,000 state employees. However, upon further investigation they found that it had contained 370,000 Ohio citizens� personal data, including names of people with uncashed tax refund cheques and lottery winners.
What went wrong?
The state government office had a 2001 policy that said backup tapes were to be taken home each night by the network administrator. There is no word on whether or not the policy was more specific regarding the handling of the tapes as sensitive data.
So, either the policy did not identify this type of backed up data as requiring special handling for sensitive information or the policy was not being followed.
Regardless, someone in this organization was obviously considering only the Business Continuity and Disaster Recovery aspects of the backup tapes when they decided to take them off-site without proper protection.
The Bottom Line:
- Backup tapes must be identified as being sensitive media, depending on the importance of the information to the organization and the privacy of individuals or companies whose information is contained in the data.
- Policy and procedures should dictate that sensitive backup tapes must either be written as encrypted archives that can�t be deciphered by anyone else, or should always be stored and transported by an approved secure method (or both). This can include security rated brief cases and bonded couriers, as well as locked and security rated storage rooms for off-site storage.
If the policy was not clear, there are at least two issues that need to be addressed:
- Fix the policy to properly identify sensitive information, including data on backup tapes.
- Make sure everyone is aware that backed up data is still considered live data that needs protection under the policies even after it leaves the systems.
The second item is much harder to implement without top level executive support for a security program that includes training and awareness budgets. Often, an Organizational Development intervention oriented towards security will be able to locate and address areas where security procedures are not being applied as they should because people think �It isn�t really needed�, �It is counter-productive�, or �I have another way that works�.
Do you have any comments on this case study? Feel free to speak your mind.
Disclaimer: This analysis is only based on the breach information provided in the SC Magazine article, which is assumed to be accurate. It is only intended as general Security Management guidance, and to illustrate approaches that can help reduce security risks in an organization. If you would like to obtain assistance in this type of analysis for your organization, you can contact me by clicking HERE.
LonerVamp on 02 Jul 2007 at 3:07 pm #
Seems to me this is a case where they had a policy, the policy was followed (hooray!), but the policy itself was not informed or correct. Part of the cost so many managers hate to look at is the cost of keeping policies like this updated and relevent. Still, it is surprising that no one raised any objections. Actually, I take that back, I bet objections were raised because something like this is very obvious, even to junior techs and interns. I just bet no one wanted to do the research, spend the money, or bother.
I worked for a company a few years ago that was considered a start-up small company. Honestly, springing for an offsite backup service was a cost that was consistently pushed off. However, we did make sure someone took the tapes home, namely the President/CEO in that case. While this was the brunt of repeated jokes, it was still at least a step up from having nothing offsite. (And while not encrypted, at least it did require hardware that most people don’t have access to, not that that was a HUGE hurdle or anything, but every little bit of risk mgmt counts…)
While a state gov’t really has little excuse about not having the money for something like this, it *is* an issue…all the small costs of having an IT infrastructure that really takes its toll on a company’s bottomline. I still think there is going to be a slow quiet lashback by not just business, but also IT, with regards to all these little costs that just do not go away and will never be a clean gulp to swallow.
Scott on 03 Jul 2007 at 10:50 am #
@LonerVamp
Good points. Just a thought to follow up. Often, once you have a policy, management will say, “At least we have a policy, maybe not perfect; but better than nothing…” Then they count on using “contingency funds” to cover any costs related to the policy not being “quite” perfect.
With the cost of breaches now approaching $200 per affected individual (contact me for references on this data point), this is becoming too much to leave in a contingency fund. For only 1,000 individual clients (maybe the size of a small accounting firm), the costs could be $200,000 per breach. I don’t know any accountants that budget $200K for accidental losses.