A recent report by the Ponemon Institute found that of the 83% of organizations that experienced a data breach within the last two years, 19% said that the breach occurred when a third-party data recovery services provider had control of a drive. Could you provide some key criteria for enterprises in the process of selecting a third-party data recovery services provider? Would you recommend not allowing third-party providers to handle certain data under any circumstances, despite the business hardships that may cause?
For the process of selecting a third-party data recovery services provider, an enterprise should establish a set of key criteria that can be used for a risk assessment of the service provider and to help an organization understand the risk of a data breach.
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
When vetting a service provider, the elements of its business to be reviewed should include: its employees, the physical security of its facilities, the transport of the equipment to and from the service provider, its disposal process, and its overall process for monitoring its environment to detect unauthorized access. If a third-party organization has performed a SAS70 or SSAE16 attestation for the service provider, the report should be reviewed to understand if the service provider's security practices meet an enterprise's security requirements.
Using a third-party data recovery services provider does minimally heighten the risk of a data breach, but this can be managed through several proactive steps, including a risk assessment of the service provider prior to sending them devices with sensitive data. If the data in question is critical to the organization's operation, the risk is likely acceptable (that is, it's worth a minimal risk of landing in the hands of a third party if the alternative is to lose the data entirely).
In specific cases, preventing third-party service providers from handling certain data might be reasonable, but only for organizations with high security requirements. For example, if the drive or system sent out for data recovery has the enterprise's most valuable intellectual property, this might be too high a risk without additional security controls being put in place. However, the consequences of not recovering this data might adversely affect an enterprise significantly, which might make the risk tolerable. Then again, if the system has the nuclear launch codes stored on the system along with the data needed for recovery, this might be an unacceptable risk.
There are other proactive risk mitigation options, such as using data encryption on the devices to protect sensitive data when sent to a service provider for data recovery, warranty service or lease terminations, to name a few. Recovering encrypted data from a damaged hard drive may be difficult, though. Implementing more protective steps, such as good backups, could also reduce the chance that equipment would ever need to be sent to a third-party data recovery services provider.
This was first published in August 2012