The ISO (International Standards Organisation) has set out a security standard for data storage.
Known as ISO/IEC 27040:2015, the ISO says it provides detailed technical guidance on how organizations can define an appropriate level of risk mitigation by employing a well-proven and consistent approach to the planning, design, documentation, and implementation of data storage security.
The ISO defines storage security as applying to the protection (security) of information where it is stored and to the security of the information being transferred across the communication links associated with storage.
Storage security includes the security of devices and media, the security of management activities related to the devices and media, the security of applications and services, and security relevant to end-users during the lifetime of devices and media and after end of use.
The objectives for the International Standard are stated as follows:
— help draw attention to the risks;
— assist organizations in better securing their data when stored;
— provide a basis for auditing, designing, and reviewing storage security controls.
Securely storing and protecting data requires a whole lot more than a simple back up. A new International standard for data storage security ensures your valuable information stays in safe hands, the ISO stated.
An organization’s data is often its most valuable asset, and keeping it stored safely and effectively is increasingly a commercial and legal imperative. However the process of managing it can be complex, covering not only how it is stored but how to access it securely and communicate it across a wide range of media and devices.
Organizations face the challenge of implementing data protection and security measures to meet a wide range of requirements, including statutory and regulatory compliance. Too often the security associated with storage systems and infrastructure has been missed because of misconceptions and limited familiarity with the storage technology, or in the case of storage managers and administrators, a limited understanding of the inherent risks or basic security concepts. The net result of this situation is that digital assets are needlessly placed at risk of compromise due to data breaches, intentional corruption, being held hostage, or other malicious events.
Data storage has matured in an environment where security has been a secondary concern due to its historical reliance on isolated connectivity, specialized technologies, and the physical security of data centres. Even as storage connectivity evolved to use technologies such as storage protocols over Transmission Control Protocol/Internet Protocol (TCP/IP), few users took advantage of either the inherent security mechanisms or the recommended security measures, the ISO said.
This International Standard provides guidelines for storage security in an organization, supporting in particular the requirements of an Information Security Management System (ISMS) according to ISO/IEC 27001.
This International Standard recommends the information security risk management approach as defined in ISO/IEC 27005.
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity.