II.C.13(a)     Storage

Management should implement policies to govern the secure storage of all types of sensitive information, whether on computer systems, on physical media, or in hard-copy documents. Management can achieve secure storage with physical controls,Refer to the "Physical Security" section of this booklet. logical controls (e.g., passwords, tokens, and biometrics), and environmental controls (e.g., fire and flood protection). In addition, stored information, in any form, should be classified and inventoried so that it can be retrieved when needed. Inventories should be updated periodically to remain current.

More sensitive information, such as system documentation, application source code, and production transaction data, should have more extensive controls to guard against alteration (e.g., integrity checkers and cryptographic hashes). Management should have appropriate logging and monitoring controls over stored information to ensure authorized access and appropriate use. Periodically, the security staff, audit staff, and data owners should review access rights to ensure the access rights remain appropriate and current.

Data storage in portable devices, such as laptops, smart phones, and tablets, poses unique problems. These devices may be lost, stolen, or subject to unauthorized and undetected use. Risk mitigation typically involves data encryption, host-provided access controls, homing beacons,Homing beacons send messages to the institution when they connect to a network and enable recovery of the device. and remote deletionRemote deletion is a technology that enables the institution to remotely delete certain data from a portable device. capabilities. Management should implement appropriate controls (such as the use of a DLP program) over portable devices and the sensitive information contained on them.

Many institutions create or use a third-party cloud for storage. Cloud storageCloud storage is a model of data storage in which the digital data are stored in logical pools, the physical storage spans multiple servers (and often locations), and the physical environment is typically owned and managed by a hosting company. provides unique issues and challenges. Management should understand the nature of the cloud technology being used; the physical location(s) where the data are stored and related legal jurisdiction; the access controls used and protection of the institution's data (e.g., how access is controlled and how that information is retrieved); and the frequency and method of backup used by the cloud provider. Management should verify that the cloud provider offers the capability for the institution to monitor its system activity, significant security incidents, performance and uptime, and success and failure of backups.


Previous Section
II.C.13 Control of Information
Next Section
II.C.13(b) Electronic Transmission of Information