| Archival Media |
|
From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question. Here is a question from a client:
I have a question regarding the definition of optical disk. For record retention, our City Clerk has been told they need to keep some of their records on optical disks that cannot be changed. What would qualify for this? Would something like a DVD-R? How about our backup tapes? Thanks.
When selecting an archive media you will need to consider the retention period and the degree of integrity needed for the data. The retention period will guide you on selecting media that has longevity beyond the required retention period. The degree of integrity will guide you in selecting media and technology that will protect the data from modification or alteration.
Integrity
Integrity is about protecting the data from intentional or unintentional modification or alteration. There are a number of ways to protect the data on the media from modification or alteration. Selecting DVD-R instead of DVD-RW because DVD-R media is write once media and DVD-RW is writeable multiple times.
If you need to use media that can be written to multiple times, such as DVD-RW, Hard Disk, Solid State Memory or Magnetic tape, you can use a one-way hash algorithm. A one-way has algorithm which is a mathematical function that is used to determine if the original data (file, message, etc..) has been altered in any way. If the data is altered, in any way, the hash algorithm will not work.
Hashes will work to tell you if someone has modified the original data not protect it from being changed. If you need to protect it, the best bet is to encrypt the data as well. I would recommend using encryption to protect the data from modification, alteration and disclosure. However, using encryption means you need to have a key management system.
A low-tech way to protect the integrity of data for archival purposes is to store multiple copies in different locations. If one copy has been compromised, you would be able to compare it with anther copy to see if there are any differences.
Availability (Retention)
You also need to consider the retention time. Regular CDs and DVDs have an expected life of 10 years! Backup tapes have a shorter life expectancy if used multiple times. Tapes used weekly are typically replaced annually. Is that long enough? Your media needs to be able to last as long, if not longer than, the life of the data.
If you use DVD-R media for storage you may want to look into special DVD-R media. Multiple manufacturers such as Memorex Verbatim and TDK make Archival Grade DVD-R media. They claim they will last up to 100 years.
If you use backup tapes you need to purchase tapes that are used to backup and store. In other words the tapes are not in the normal backup rotation. Backups and archives are not the same, they serve two different functions and have different requirements for the media. With backups the media is regularly reused; in archival use, the tapes would be written to once and stored. For archival purposes, you will need to purchase archival grade tapes with a 30-50 year life span.
Whatever media you end up using, there will also be storage requirements such as:
Temperature
Humidity Light exposure (for optical media and possibly for magnetic media is the light source creates heat) Magnetic exposure (for magnetic media) Helpful links
Much more could be said about archiving procedures, data retention, data destruction, media handling and security requirements related to this topic. If you would like more information, check out the links below:
NIST study on optical media:
http://nvl.nist.gov/pub/nistpubs/jres/109/5/j95sla.pdf NIST Special Publication 500-252 Care and Handling of CDs and DVDs —A Guide for Librarians and Archivists:
http://www.itl.nist.gov/iad/894.05/docs/CDandDVDCareandHandlingGuide.pdf Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
RSS Subscription: http://feeds2.feedburner.com/learnsecurityblog
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.
|
Subscribe to LearnSecurity Blog using your favorite feed reader by 
Latest News
Maze & Associates On Demand PCI Scans - Free 14 Day Trail
|