Everyone knows that you need to make backups and test them, right? But have you considered the security issues...
of backup media after you've performed your nightly duty?
Backup media requires specialized and focused security controls. Just think about it, a single backup media can easily contain over 100G Bytes of confidential, secret, sensitive, proprietary and/or private data that can be concealed in a jacket pocket or a briefcase. While it may be difficult to near impossible for someone to swipe one of your network servers, it is merely a matter of shoplifting and concealment to walk out of your facilities with a backup media.
Backup media should first and foremost be clearly and distinctly labeled. Not just with labels defining the content stored on them but with the classification level of the data. Once labeled, it should retain that label for the lifetime of the media. Never ever re-use media from a higher classification level to store data at a lower classification level. Remember that it is nearly always possible to recover data even after it has been deleted and overwritten on magnetic storage devices and media. Media should be treated with the same -- or greater -- security precaution warranted by the classification of data it holds.
Once media is classified, it must remain under the proper security controls for its classification for the lifetime of that media. That means from the moment the media is written until it is securely destroyed. The activities and events of media should be logged: its travels/movements, storage locations and chain of possession should be written down and verified. Media should be transported securely from the onsite backup devices to the offsite secure storage location.
If you can adopt the mindset that backup media are pocket-sized portable versions of your organization's data assets, you'll be able to adequately plan and implement security controls, precautions and deterrents. If you fail to place importance on backup media management and handling, then you are effectively handing your IT infrastructure over to anyone who wants access. Secure media management should be addressed in your security policy and the exact procedures to perform should be defined in your standards, guidelines and procedures documentation.
About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.