Very good question. I think when:
– data-in-motion, there should be encryption involve. (VPN SSL, HTTPS, Point-to-point encryption, email PGP, Office365),
– same when data-in-rest, encryption. There is software that can be used to encrypt and decrypt, which involves keys management.
– the data -in-use I think it just needs an extra layer of protection. I think about point-to-point or site-to-site VPN where data/protocols flow/moves inside a secure channel.
In one of the forensic class, we learned about e-discovery (procedure involves in legal case for preserver/review/exchange evidence in electronic form). It is also mandatory for companies. Do you think it is a form of legal archiving requirements?
And how companies manage all these tremendous backup data?
As an IT Auditor, how would you check the efficiency of DLP systems implemented by organizations? e.g whether the policies are efficient in detecting data leakage or the placement of DLP systems in enterprise architecture etc.
Below are some of the ways to check the efficiency of DLP systems;
1. The number of attempts and their severity would be a good metric to realize if the tool is efficient or not. It’s about looking at quantitative data, but more at the qualitative information.
2. The capability of capturing the events according to the established criteria and the response time for the Admin, which can rapidly change policies and block the transfer of specific data / files, or report incidents to the management for further measures.
3. Employees’ number of complaints is also a good indicator of the DLP software efficiency.
4. The resource consumption in terms of staff involved in managing DLP policies and time spent to get familiar with the software as well as analyzing reports is important when determining the efficiency of a DLP system.
Hi Akshay,
Reviewing policy and procedures is essential for IT auditor because they are fundamental documents that help auditors to understand businesses and they address what constitutes acceptable behavior by employees. Therefore, IT auditors should review Data Leakage/Loss Prevention System, which may involve a combination of security policies and security tools and verify DLP truly supports regulatory compliance requirements. Moreover, samples of the traffic may be reviewed to demonstrate the system is working as expected.
Hi Numneung,
IT Auditors should ensure that appropriate backup controls in place. For this purpose, they should determine whether critical data are backed up periodically and stored offsite in a secure location. Also, seeking for whether a business impact analysis has been performed on applications to establish backup systems might be beneficial. At least, IT auditors should review documentation related to the application’s RTO (Recovery Time Objective) and RPO (Recovery Point Objective).
Of the data storage policies discussed in the most recent chapter of the Corporate Computer Security textbook (eg. Restoration policies, media storage location policies, retention policies), which do you think plays the largest role during a cyber-attack? (Such as the Maersk case we covered previously)
I think a diversified strategy of all of the policies discussed is essential to prepare for any event. You need to be doing multiple types of back ups on different media in different locations. You also need to have good recovery plans in place to be able to recover from each form of back up. Having a diversified strategy will allow you to prepare for a diverse range of events where you have to recover from backups.
Imran, I believe that having a good balance of every policy is obviously the best option. However, if I were to key in on one I would choose the Media storage location policy. Deciding where and how the data is stored is the first line of defense against attacks and retaining the data in the event of an attack. If Maersk were to store their backups in more locations, they may not have run into the major issues they did.
You have asked a very pertinent question. To understand this, we need to first understand the mechanics of backup. Depending on the size of the organizations, varying quantities of data is produced and similar levels of efforts are required to back them up. Also, organizations have limitations on the kind of hardware or technologies that can be used to back up data. For a full back up everyday, large quantities of disk or tape size will be required which might not be feasible for every organization. And secondly, every type of back up comes up with its unique pros and cons. Hence, organizations consider these pros and cons before selecting which kind of backup to perform, as their primary concern is that the back up should meet their RPO requirements.
Some of the main reasons not to do full backups every night include cost, time, and resources. Incremental backups are meant to back up chunks of data throughout a time period without having to slow/stop production due to the sheer amount of data that needs to be backed up. Performing a full back up every night would eat up resources and, in most cases, would not be feasible or beneficial to most businesses.
On a smaller scale, a full backup every night will not be a big problem as there are not much data for backup. But if we are discussing about a large company, having a full backup every night will be very costly and this is where incremental backup comes in.
Hi Natalie,
An IT auditor should firstly seek for whether there is a compensating control in place before writing a finding when he found a missing or improper work. If there is not any compensating control related to missing or improper part of the back up system, he/she should write a finding about the issue with addressing the impact of the issue, including impact rating, the associated standard, and recommendation to correct the issue.
Hi Natalie,
IT auditors have to find identify root cause (People, process, or technology), impact risks of this issue and recommendations to improve the controls. Establishing appropriate backup policies and procedure is the most important. There are 4 main controls to consider
– The configuration of backup (Type, frequency, backup data)
– Backup monitoring controls to ensure the data is backup successfully
– Backup off-site control
– The data restoration is regularly tested
Considering the cost implications and time involved in implementing comprehensive data protection measures, how should a transnational organiization decide the appropriate level of resources to deploy to securing its data ?
I think this questions is answered by looking back at your initial data inventory and classification. Depending what type of data you are dealing is what decides what type of controls you will need or what type of regulations you must adhere to.
Good point, Chris. Data inventory & classification is a very important factor in considering the type of data management system to apply, and the kind of resources to deploy in managing the data. Also, Transnational firms look at internal policies about data storage and management ( e.g co-location centers), review regulatory requirements in the various nations they operate to ensure that their regulatory policies are not violated.
How will the world be able to hous original and copies (sometimes multiple) of all enterprise data that exists? It seems like we may run into storage issues.
Hello,
In regards to the issue of storage space limitation for storing enterprise data multiple times in order to create redundancy, more often than not the solution that large organizations go for is funding their own data storage facilities in remote places from their main data storage facility. While this alleviate the pressure off of commercial cloud based data storage organizations, allowing them to focus more resources on helping smaller businesses, it is an incredibly expensive endeavor.
Hi Percy, good question. International banks most likely have many physical locations all over the world. I would think that having one central back-up or data center — while this is efficient, would not be the most secure. So, in an effort to be efficient and secure, the banks could split up their business into regions and store back ups in 1 or 2 central locations within those regions. Therefore, banks will not be too far from their data, but not ALL of the data will be in one location.
Hi Percy, I think they should install backup tools to set the frequency of backup. Daily, weekly, and monthly backup should be considered. Off-site storage of backup is also considered as a safeguard control to ensure that backup data are securely safe.
Hi, Sarah Puffen
I think document restriction is an effective method. Document restrictions can classify documents according to the level of confidentiality or the level of risk of a data breach. Perhaps document restriction alone does not reduce the threat very well, but I can effectively reduce the risk by combining document restriction with access control and domain differentiation management.
Organizations can know how effective their data recovery measures by performing annual/biannual restore testing from tape as part of audit.
Firms can as well validate and verify backups without doing actual restores. Validating backups using “restore validate database” is the best way to determine if the backup is good and/or usable.
Hi Peiran,
I think every company should establish controls of backup management. However, it depends on the budget and cost of company. Also, Company should consider what are important things that require to backup such as application and database. For a smaller company, they might consider backup management software tools.
How can data be protected while it is in distinct states, data- in-rest, data-in-motion, and data-in-use?
Very good question. I think when:
– data-in-motion, there should be encryption involve. (VPN SSL, HTTPS, Point-to-point encryption, email PGP, Office365),
– same when data-in-rest, encryption. There is software that can be used to encrypt and decrypt, which involves keys management.
– the data -in-use I think it just needs an extra layer of protection. I think about point-to-point or site-to-site VPN where data/protocols flow/moves inside a secure channel.
In one of the forensic class, we learned about e-discovery (procedure involves in legal case for preserver/review/exchange evidence in electronic form). It is also mandatory for companies. Do you think it is a form of legal archiving requirements?
And how companies manage all these tremendous backup data?
As an IT Auditor, how would you check the efficiency of DLP systems implemented by organizations? e.g whether the policies are efficient in detecting data leakage or the placement of DLP systems in enterprise architecture etc.
Hi Akshay,
Below are some of the ways to check the efficiency of DLP systems;
1. The number of attempts and their severity would be a good metric to realize if the tool is efficient or not. It’s about looking at quantitative data, but more at the qualitative information.
2. The capability of capturing the events according to the established criteria and the response time for the Admin, which can rapidly change policies and block the transfer of specific data / files, or report incidents to the management for further measures.
3. Employees’ number of complaints is also a good indicator of the DLP software efficiency.
4. The resource consumption in terms of staff involved in managing DLP policies and time spent to get familiar with the software as well as analyzing reports is important when determining the efficiency of a DLP system.
Hi Akshay,
Reviewing policy and procedures is essential for IT auditor because they are fundamental documents that help auditors to understand businesses and they address what constitutes acceptable behavior by employees. Therefore, IT auditors should review Data Leakage/Loss Prevention System, which may involve a combination of security policies and security tools and verify DLP truly supports regulatory compliance requirements. Moreover, samples of the traffic may be reviewed to demonstrate the system is working as expected.
Could you define and explain audit testing procedure to ensure appropriate controls in backup?
Hi Numneung,
IT Auditors should ensure that appropriate backup controls in place. For this purpose, they should determine whether critical data are backed up periodically and stored offsite in a secure location. Also, seeking for whether a business impact analysis has been performed on applications to establish backup systems might be beneficial. At least, IT auditors should review documentation related to the application’s RTO (Recovery Time Objective) and RPO (Recovery Point Objective).
Of the data storage policies discussed in the most recent chapter of the Corporate Computer Security textbook (eg. Restoration policies, media storage location policies, retention policies), which do you think plays the largest role during a cyber-attack? (Such as the Maersk case we covered previously)
I think a diversified strategy of all of the policies discussed is essential to prepare for any event. You need to be doing multiple types of back ups on different media in different locations. You also need to have good recovery plans in place to be able to recover from each form of back up. Having a diversified strategy will allow you to prepare for a diverse range of events where you have to recover from backups.
Imran, I believe that having a good balance of every policy is obviously the best option. However, if I were to key in on one I would choose the Media storage location policy. Deciding where and how the data is stored is the first line of defense against attacks and retaining the data in the event of an attack. If Maersk were to store their backups in more locations, they may not have run into the major issues they did.
Why wouldn’t you want to perform a full backup every night? What purpose does an incremental back up serve?
Hello Chris,
You have asked a very pertinent question. To understand this, we need to first understand the mechanics of backup. Depending on the size of the organizations, varying quantities of data is produced and similar levels of efforts are required to back them up. Also, organizations have limitations on the kind of hardware or technologies that can be used to back up data. For a full back up everyday, large quantities of disk or tape size will be required which might not be feasible for every organization. And secondly, every type of back up comes up with its unique pros and cons. Hence, organizations consider these pros and cons before selecting which kind of backup to perform, as their primary concern is that the back up should meet their RPO requirements.
Some of the main reasons not to do full backups every night include cost, time, and resources. Incremental backups are meant to back up chunks of data throughout a time period without having to slow/stop production due to the sheer amount of data that needs to be backed up. Performing a full back up every night would eat up resources and, in most cases, would not be feasible or beneficial to most businesses.
On a smaller scale, a full backup every night will not be a big problem as there are not much data for backup. But if we are discussing about a large company, having a full backup every night will be very costly and this is where incremental backup comes in.
As an IT Auditor, what would the next steps be if it’s found that an organization is not implementing the proper back-up procedures?
Hi Natalie,
An IT auditor should firstly seek for whether there is a compensating control in place before writing a finding when he found a missing or improper work. If there is not any compensating control related to missing or improper part of the back up system, he/she should write a finding about the issue with addressing the impact of the issue, including impact rating, the associated standard, and recommendation to correct the issue.
Hi Natalie,
IT auditors have to find identify root cause (People, process, or technology), impact risks of this issue and recommendations to improve the controls. Establishing appropriate backup policies and procedure is the most important. There are 4 main controls to consider
– The configuration of backup (Type, frequency, backup data)
– Backup monitoring controls to ensure the data is backup successfully
– Backup off-site control
– The data restoration is regularly tested
Considering the cost implications and time involved in implementing comprehensive data protection measures, how should a transnational organiization decide the appropriate level of resources to deploy to securing its data ?
I think this questions is answered by looking back at your initial data inventory and classification. Depending what type of data you are dealing is what decides what type of controls you will need or what type of regulations you must adhere to.
Good point, Chris. Data inventory & classification is a very important factor in considering the type of data management system to apply, and the kind of resources to deploy in managing the data. Also, Transnational firms look at internal policies about data storage and management ( e.g co-location centers), review regulatory requirements in the various nations they operate to ensure that their regulatory policies are not violated.
How will the world be able to hous original and copies (sometimes multiple) of all enterprise data that exists? It seems like we may run into storage issues.
Hello,
In regards to the issue of storage space limitation for storing enterprise data multiple times in order to create redundancy, more often than not the solution that large organizations go for is funding their own data storage facilities in remote places from their main data storage facility. While this alleviate the pressure off of commercial cloud based data storage organizations, allowing them to focus more resources on helping smaller businesses, it is an incredibly expensive endeavor.
What is the best backup option for an international bank?
Hi Percy, good question. International banks most likely have many physical locations all over the world. I would think that having one central back-up or data center — while this is efficient, would not be the most secure. So, in an effort to be efficient and secure, the banks could split up their business into regions and store back ups in 1 or 2 central locations within those regions. Therefore, banks will not be too far from their data, but not ALL of the data will be in one location.
Hi Percy, I think they should install backup tools to set the frequency of backup. Daily, weekly, and monthly backup should be considered. Off-site storage of backup is also considered as a safeguard control to ensure that backup data are securely safe.
Do you think document restrictions can be an effective way in reducing security threats, or are they a waste of resources?
Hi, Sarah Puffen
I think document restriction is an effective method. Document restrictions can classify documents according to the level of confidentiality or the level of risk of a data breach. Perhaps document restriction alone does not reduce the threat very well, but I can effectively reduce the risk by combining document restriction with access control and domain differentiation management.
How companies test or simulate the effectiveness of their data recovery measures.?
Organizations can know how effective their data recovery measures by performing annual/biannual restore testing from tape as part of audit.
Firms can as well validate and verify backups without doing actual restores. Validating backups using “restore validate database” is the best way to determine if the backup is good and/or usable.
How much should the company invest in backups? How to convince a smaller company to have a good backup system?
Hi Peiran,
I think every company should establish controls of backup management. However, it depends on the budget and cost of company. Also, Company should consider what are important things that require to backup such as application and database. For a smaller company, they might consider backup management software tools.