Solved

Company Data Storage Policy & Process

Posted on 2014-03-03
2
565 Views
Last Modified: 2014-03-07
We are a K-12 school district and have a small data center where we store all user data. Currently we have 40,000 student and 5,000 staff saving data centrally and we are looking control this a bit more than we currently are.

Does anyone have an example of a data storage (or something similar) policy detailing how what should be stored here, who should access it, how long we will store it, what happens after a particular timeframe and so on?

We are just getting started on our data storage policy and any examples would be most appreciated.

Thank you,
0
Comment
Question by:salkeiz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 63

Accepted Solution

by:
btan earned 380 total points
ID: 39903026
First is to ask what is the objective for this storage policy e.g. to manage and control the data within the organisation or institution such that there is assurance in domain of data consistency, security and resiliency. This also aims to facilitate the business running and ensure compliance with the state governance and policy stipulated for institutation or organisation. This is a broad scope but it is mainly to charter the areas to derive and establish the clauses to direct the implementation with appropriate baseline requirement.

Second is then to understand the above by dictating the data lifecycle and making sure the policy under the scope cover sufficiently the phase in the whole lifecycle. You can check out this article as starter @ http://www.computerweekly.com/feature/Creating-a-data-storage-policy

A good starting point for a data storage policy is how the data should be stored, ie on-line, near-line, or off-line, as effective archiving can dramatically reduce the size of daily back-ups. In general terms, data that needs to be edited or updated should be stored on-line, that is on devices that are part of the normal storage infrastructure, either directly attached storage, Storage Area Network (SAN), or Network Attached Storage (NAS).

As a guide to developing a data storage policy Butler Group has established five steps. These are:

-Establish a data storage budget
-Assess data availability requirements
-Measure security levels
-Assess legal and governmental requirements
-Implement data policy corporate-wide


Thirdly, it is not simple "storage" policy only as the whole data lifecycle in the data center need to be ascertain and commensurate based on the data classification and access control required. Below is a sample from "The University of Kansas" stating for their Data center and they listed out couple of related supporting policy to drive the whole governance for the data managed from a guardian and consumer perspective. It may be good to check it out as without even those supporting policy it is hard to come up with "data storage" policy..key policy to focus on include

-Data Classification and Handling Policy
-Data Classification and Handling Procedures Guide
-Information Access Control Policy

http://www.policy.ku.edu/IT/data-center-server-room
 
I also like to point out their "Safeguard Information in Storage" which handling varies based on classification and sensitivity

https://policy.drupal.ku.edu/IT/data-classification-handling-procedures#7
0
 
LVL 63

Expert Comment

by:btan
ID: 39903051
This is another on PDF- Guidelines on Security and Privacy in Public Cloud Computing which I see maybe useful considerations reviewing the policy needed.

I know it is "out" of the context but the content in the guidelines are applicable and generally acceptable since it is general protection of data for any hosting environment even for DC. You can catch below

"4.10 Summary of Recommendations" - summarizes those issues and related recommendations for organizations to follow when planning, reviewing, negotiating, or initiating a public cloud service outsourcing arrangement.

Include Governance, Compliance, Trust, Architecture, Identity and Access Management, Software Isolation, Data Protection, Availability, Incident Response. And specifically I summarise it as stated in their guidelines to look at

¿ Ownership rights over data
¿ Locus of organizational data within the cloud environment
¿ Security and privacy performance visibility
¿ Service availability and contingency options
¿ Data backup and recovery
¿ Incident response coordination and information sharing
¿ Disaster recovery.

it is good to engage other peer school to see if the Ministry or parent agencies can shed more assistance as coming up with policy is not an overnight and silo efforts. It need to align to the overall organisation and parent mission and goals.
0

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question