Iron Mountain Offers Basic Rules for Maintaining Data Privacy

Among the chief concerns is that the amount of data and devices now managed continues to soar—and this data lives in multiple formats throughout an enterprise.

SAN DIEGO, Calif.—Iron Mountain, which opened for business in 1951 and knows a few things about how to secure paper and digital documents, came up Jan. 28 with some workable basic rules about how enterprises and individuals can do just that: maintain personal data security and privacy of data and documents.

Data Privacy Day, an international event created two years ago (and held every year on Jan. 28 in the United States), aims to bring awareness to the need for solutions to issues involving the Internet of things and data protection, security and privacy. The rules were among a number of working documents discussed at a roundtable at the CyberTECH Data Privacy Day 2015 event, held at the San Diego Gas & Electric Innovation Center here.

eWEEK will publish a separate story later today on highlights from the San Diego event. San Diego, with its increasing number of cyber-security-related companies and startups, ranks with Maryland and the Washington, D.C., region; Atlanta (with Georgia Tech University); and San Antonio, Texas, as the hottest areas for cybertech security research and product development in the United States.

It isn't surprising that Iron Mountain's 2014 Data Protection Predictors survey reveals that data loss is IT leaders' primary concern. Adding to these concerns is the fact that the amount of data and devices they manage continues to soar—and this data lives in multiple formats throughout an enterprise.

Here are five steps Iron Mountain suggests that enterprises and consumers can use to improve a security plan:

Step 1: Learn where your data lives. A security administrator cannot complete a security plan until he or she knows exactly what they are protecting and where it's stored. Most businesses store data on multiple media types: local disks, disk-based backup systems, offsite on tape and in the cloud. Each technology and format requires its own type of protection.

Step 2: Implement a "need-to-know" policy. To minimize the risk of human error (or curiosity), create policies that limit access to particular data sets. Designate access based on airtight job descriptions. Also be sure to automate access-log entries so no one who's had access to a particular data set goes undetected.

Step 3: Beef up your network security. A network is almost certainly protected by a firewall and antivirus software. But are those tools up-to-date and comprehensive enough to get the job done? New malware definitions are released daily, and it's up to the antivirus software to keep pace with them. The bring-your-own-device philosophy is here to stay, and an IT team must extend its security umbrella over smartphones and tablets that employees use for business purposes.

Step 4: Monitor and inform your data's lifecycle. By creating a data lifecycle management plan, security admins must ensure an enterprise's secure destruction of old and obsolete data. As part of this process, they should:

--identify the data they must protect, and for how long;

--build a multipronged backup strategy that includes offline and offsite tape backups;

--forecast the consequences of a successful attack, then guard the vulnerabilities revealed in this exercise;

--take paper files into account, since they can also be stolen;

--inventory all hardware that could possibly house old data and securely dispose of copiers, outdated voicemail systems and even old fax machines.

Step 5: Educate everyone. Data security is ultimately about people. Every employee must understand the risks and ramifications of data breaches and know how to prevent them, especially as social engineering attacks increase.

Talk with employees about vulnerabilities, such as cleverly disguised malware Web links in unsolicited email messages. Encourage them to speak up if their computers start functioning oddly. Build a security culture in which everyone understands the critical value of your business data and the need for its protection, Iron Mountain said.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 13 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...