NIST Addresses a Security Threat that Challenges Most Information Security Programs
A “Sleeper risk” that could lead to compromised or stolen data, network breaches, and other security nightmares
NATIONAL HARBOR, MD – CSI CONFERENCE & EXPO 2010 (Booth 305) – October 26, 2010 – DriveSavers Data Recovery announced today that The National Institute of Standards and Technology (NIST), a federal agency within the U.S. Department of Commerce that develops and issues standards, guidelines and publications for federal agencies, added new language to their Contingency Planning Guide for Federal Information Systems to alert federal agencies and other organizations, of the security risks associated with using the wrong third-party data recovery vendor.
Based on the recommendations of NIST, organizations and government agencies that must adhere to data security and data privacy regulations, such as SOX, HIPAA, GLBA, and ISO 17799, should now apply recognized due diligence best practices within their Vendor Risk Management Programs to data recovery service providers.
Paul Reymann, CEO of ReymannGroup, and one of the nation’s foremost experts in regulatory compliance and information risk management comments, “The lack of information security protocols and practices in the vetting, selecting and use of data recovery service providers is a ‘sleeper risk’ for most information security programs. Many companies and government agencies are focused on protecting data on the inside of their organization from outside attacks. Critical data that is so carefully guarded internally is vulnerable to a data breach if third party data recovery companies are not vetted properly. Hiring the wrong data recovery vendor could lead to compromised or stolen data, network breaches, and other material security events.”
DriveSavers Data Recovery, CISO, Michael Hall and Paul Reymann, have been asked to present the overlooked sleeper risk in detail at CSI on Friday, October 29, 2010 in General Session F-8. The session, “The New Threat to Data Security,” will discuss where the security gap occurs in the enterprise, how to protect business critical data from this latest threat and hear the smoking gun story that caused NIST to change its DLP guidelines.
NIST Special Publication 800.34, Contingency Planning Guide for Federal Information System, (Rev.1) Section 5.1.3 (Protection of Resources) states:
“Organizations may use third-party vendors to recover data from failed storage devices. Organizations should consider the security risk of having their data handled by an outside company and ensure that proper security vetting of the service provider is conducted before turning over equipment. The service provider and employees should sign non discloser agreements, be properly bonded, and adhere to organization-specific security policies.”
To download the NIST Special Publication 800.34, Contingency Planning Guide for Federal Information System, (Rev.1) Section 5.1.3 (Protection of Resources) in its entirety, click here: http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1.pdf
About DriveSavers Data Recovery
DriveSavers is the worldwide leader in data recovery services and provides the fastest, most reliable and only certified SAS 70 Type II data recovery service. DriveSavers high security services adhere to US Government security protocols to ensure that no data is ever compromised during data recovery. DriveSavers maintains the most technologically advanced Certified ISO 5 (Class 100) cleanroom in the industry and is authorized to open drives by all major storage device manufacturers without voiding the warranty. DriveSavers engineers are certified, by leading encryption software vendors, to recover encrypted data from all storage devices and all operating systems. Satisfied customers include: Bank of America, Google, Lucasfilm, NASA, Harvard University, Salvation Army and The Rolling Stones.