The Security of Data Recovery Operations study was conducted by Ponemon Institute and sponsored by DriveSavers. This is the first national study concerning the security of data recovery operations for business and government organizations.
We surveyed 636 IT security practitioners and IT support personnel who are involved in their organization’s data security or data recovery operations. According to the findings, 79 percent of these respondents report their organizations have used or will continue to use a third-party data recovery service provider to recover lost data. Recovery services are most often used when data files are damaged or lost and a back-up copy is not readily available.
The study reveals the uncertainty IT and IT security practitioners have about their organizations’ ability to safeguard sensitive and confidential information during the data recovery process. Confidential and privacy-protected information is at risk because organizations do not have the proper security protocols in place when using third-party data recovery service providers. IT security respondents admitted they have not been involved in the selection of these vendors. Instead the selection process has been delegated, in many cases, to the IT desktop or IT helpdesk manager.
Organizations can take simple and immediate steps to ensure a data breach does not occur
during the recovery process. Policies and procedures should be created and enforced when
using third-parties. These policies and procedures should address the safe handling of drives and
devices by third-parties. The survey respondents recommended that data recovery service providers have the following protocols in place:
Proof of internal information technology controls and data security safeguards such as compliance with SAS 70 Audit Reports
Engineers trained and certified in all leading encryption software products and platforms
Proof of chain-of-custody documentation and certified secure network
Vetting and background checks of its employees
Secure and permanent destruction when required
Use of encryption for data files in transit
Certified ISO 5 (Class 100) clean room
By following these recommended security protocols, organizations can quickly gain control over a practice that is putting sensitive and confidential data at risk.
