Pau Lo
asked on
Hardware that processes/stores data
I am trying to build a full list of hardware/physical equipment that may store or process corporate data at one time or another. Can you assist?
Obvious ones are hard drives out of workstations and hard drives out of corporate servers. Backup tapes is another. Please can you assist in other types of hardware or physical equipment above and beyond where data may reside or have been processed.
I no it is “corporate specific” but some examples to eliminate would help.
Obvious ones are hard drives out of workstations and hard drives out of corporate servers. Backup tapes is another. Please can you assist in other types of hardware or physical equipment above and beyond where data may reside or have been processed.
I no it is “corporate specific” but some examples to eliminate would help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Backups can be made to worm drives (CD or DVD), normal CD's/DVD's/Blu Ray discs or HDD clusters often contained within a server of some sort - either a NAS type drive or and proper storage array.
A lot will depend on how long you need to keep the data, if you will need to restore from it often, and where it needs to be kept i.e. of site in secure storage.
From my experience most companies still use Tape for audit backups, with a move to HDD for ready access backups.
As pma111 stated above, some companies will simply pipe there backup data to a 3rd party backup provider using FTP.
If your concern is what physical media can hold data then see my comment above.
A lot will depend on how locked down your systems are. It's very easy now for people to use a smartphone to hold documentation, or be used as a flash drive - either plugged in via USB or connected to wirelessly via Bluetooth or WiFi
A lot will depend on how long you need to keep the data, if you will need to restore from it often, and where it needs to be kept i.e. of site in secure storage.
From my experience most companies still use Tape for audit backups, with a move to HDD for ready access backups.
As pma111 stated above, some companies will simply pipe there backup data to a 3rd party backup provider using FTP.
If your concern is what physical media can hold data then see my comment above.
A lot will depend on how locked down your systems are. It's very easy now for people to use a smartphone to hold documentation, or be used as a flash drive - either plugged in via USB or connected to wirelessly via Bluetooth or WiFi
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
in addition what tricky98 mentioned, keep care of printers they also have huge storage capabilities e.g. big corp printers up to gigabytes as hardrive storage inside. RAM etc.
ASKER
Do you keep inventories of stuff like external USB's?
So you can ensure they were wiped when they reached end of lifecycle?
My concerns is PC's are normally inventorised, but not so much other stuff. So if auditors come in - how can you prove all external HDD's or USB's were wiped?
Also - aside from disposal - i.e. PC is dead - send it for recycling - what other reasons could there be for media to be sent to 3rd parties?
Thats our issue - keeping a hold on what media and what data goes where. And checking the "where" for their media wiping practices.
So you can ensure they were wiped when they reached end of lifecycle?
My concerns is PC's are normally inventorised, but not so much other stuff. So if auditors come in - how can you prove all external HDD's or USB's were wiped?
Also - aside from disposal - i.e. PC is dead - send it for recycling - what other reasons could there be for media to be sent to 3rd parties?
Thats our issue - keeping a hold on what media and what data goes where. And checking the "where" for their media wiping practices.
ASKER
Is it common for companies to do a risk assessment before sending your data / hardware to a 3rd party for whatever, i.e. recycling, wiping, processing, troubleshooting? Or a BIA?
Companies should perform risk assessments on data, and who has access to it.
You need to have policies in place to say what can and can't be put onto removable media.
You may need to configure you PCs to restrict access to USB/CD writers.
You can consider encrypting any data put onto removable media.
If the data is very sensitive, perhaps the PC's HDDs should be encrypted - or just laptop drives.
Lots of companies fail to control this correctly, but it will become/has become more of an issue.
People will loose USB sticks, CDs and laptops - therefore what impact would it have if someone else found it?
We work with companies who use becrypt (http://www.becrypt.com) to perform all of the encryption and enforce policies.
We also work with companies who use the standard HP encryption.
Another encryption tool is Truecrypt (http://www.truecrypt.org/) which is an open-source tool.
You need to have policies in place to say what can and can't be put onto removable media.
You may need to configure you PCs to restrict access to USB/CD writers.
You can consider encrypting any data put onto removable media.
If the data is very sensitive, perhaps the PC's HDDs should be encrypted - or just laptop drives.
Lots of companies fail to control this correctly, but it will become/has become more of an issue.
People will loose USB sticks, CDs and laptops - therefore what impact would it have if someone else found it?
We work with companies who use becrypt (http://www.becrypt.com) to perform all of the encryption and enforce policies.
We also work with companies who use the standard HP encryption.
Another encryption tool is Truecrypt (http://www.truecrypt.org/) which is an open-source tool.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
tricky -
>>Companies should perform risk assessments on data, and who has access to it.
Have you a standard template for this?
>>Companies should perform risk assessments on data, and who has access to it.
Have you a standard template for this?
I don't have a template, but there are some free guides available to help:
Microsoft's Security Risk Management Guide:
http://technet.microsoft.com/en-us/library/cc163143.aspx
It looks like your in the US, so:
NIST:
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
US CERT
http://www.us-cert.gov/control_systems/satool.html
Microsoft's Security Risk Management Guide:
http://technet.microsoft.com/en-us/library/cc163143.aspx
It looks like your in the US, so:
NIST:
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
US CERT
http://www.us-cert.gov/control_systems/satool.html
ASKER
Yes printers drives a good one.