Data retention

Information in the form of data must be stored in digital media or in hard printed copies. Based on the requirements of the law and based on corporate policies, data needs to be retained even after its useful life. Data is also retained in media as a backup and used in business continuity and disaster recovery scenarios.

Data in media

Data security also concerns the physical protection of equipment as well as addressing security requirements pertaining to the media where the data is stored.

Storage media, such as hard disks, backup tapes, CDs, and diskettes, need additional security measures so as to ensure the security of the data they contain. Controls should ensure the prevention of data disclosure and modification by unauthorized entities.

The following controls need to be considered for media security:

Storage controls are the primary means to protect the data in storage media, such as hard disks, magnetic tapes, CDs, and so on. The primary consideration should be controlling access to the data, which is usually achieved by encrypted keys. Additional security considerations are required when the backup media is stored offsite.

Maintenance is a regular process to ensure that the data in the storage media is not corrupted or damaged. Media handling procedures are used to ensure this.

The users and operators should be provided with the proper usage instructions to handle the media.

Media usage should be in accordance with the established policies and procedures.

Data destruction is done by way of formatting the media. One time formatting may not completely delete all the data. Formatting the media seven times for complete data destruction is recommended by some of the standards.

Data in hardware

Theft is one of the most common threats that need to be addressed for personal computers, laptops, or media protection.

The following controls need to be considered for protection from theft:

• Cable locks are used to physically secure PCs and laptop computers. These locks prevent the computer or laptop being detached and taken away.
• Port protection is to ensure that media devices, such as CD-ROM, floppy drive, Universal Serial Bus (USB) devices such as memory sticks, Wireless-Fidelity (Wi-Fi) ports, printers, and scanners are not accessible by unauthorized personnel. The purpose of port protection is to prevent the download or transfer of confidential information and/or intellectual property by unauthorized users to a portable medium.
• Switches are used to prevent a malicious user to power on/off the systems.
• BIOS checks use password protection during the boot up process so that access to the operating system is controlled.
• Encryption is used to make the folders and files secure so that unauthorized disclosure and modification is prevented.

Data with personnel

The information people possess in their memories also needs to be controlled and data protection measures are applicable. Operational procedures, such as not discussing confidential or personally identifiable information in public places or transmitting information through publicly accessible mediums, should be discouraged.