Archival Media
alt

From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.
 
Here is a question from a client:
I have a question regarding the definition of optical disk. For record retention, our City Clerk has been told they need to keep some of their records on optical disks that cannot be changed. What would qualify for this? Would something like a DVD-R? How about our backup tapes? Thanks.
 
When selecting an archive media you will need to consider the retention period and the degree of integrity needed for the data. The retention period will guide you on selecting media that has longevity beyond the required retention period. The degree of integrity will guide you in selecting media and technology that will protect the data from modification or alteration.
 
Integrity
Integrity is about protecting the data from intentional or unintentional modification or alteration. There are a number of ways to protect the data on the media from modification or alteration. Selecting DVD-R instead of DVD-RW because DVD-R media is write once media and DVD-RW is writeable multiple times.
 
If you need to use media that can be written to multiple times, such as DVD-RW, Hard Disk, Solid State Memory or Magnetic tape, you can use a one-way hash algorithm. A one-way has algorithm which is a mathematical function that is used to determine if the original data (file, message, etc..) has been altered in any way. If the data is altered, in any way, the hash algorithm will not work.
 
Hashes will work to tell you if someone has modified the original data not protect it from being changed. If you need to protect it, the best bet is to encrypt the data as well. I would recommend using encryption to protect the data from modification, alteration and disclosure. However, using encryption means you need to have a key management system.
 
A low-tech way to protect the integrity of data for archival purposes is to store multiple copies in different locations. If one copy has been compromised, you would be able to compare it with anther copy to see if there are any differences.
 
Availability (Retention)
You also need to consider the retention time. Regular CDs and DVDs have an expected life of 10 years! Backup tapes have a shorter life expectancy if used multiple times. Tapes used weekly are typically replaced annually. Is that long enough? Your media needs to be able to last as long, if not longer than, the life of the data.
 
If you use DVD-R media for storage you may want to look into special DVD-R media. Multiple manufacturers such as Memorex Verbatim and TDK make Archival Grade DVD-R media. They claim they will last up to 100 years.  
 
If you use backup tapes you need to purchase tapes that are used to backup and store. In other words the tapes are not in the normal backup rotation. Backups and archives are not the same, they serve two different functions and have different requirements for the media.  With backups the media is regularly reused; in archival use, the tapes would be written to once and stored. For archival purposes, you will need to purchase archival grade tapes with a 30-50 year life span.
 
Whatever media you end up using, there will also be storage requirements such as:
Temperature
Humidity
Light exposure (for optical media and possibly for magnetic media is the light source creates heat)
Magnetic exposure (for magnetic media)
 
Helpful links
Much more could be said about archiving procedures, data retention, data destruction, media handling and security requirements related to this topic. If you would like more information, check out the links below:
 
NIST Special Publication 500-252 Care and Handling of CDs and DVDs —A Guide for Librarians and Archivists:
http://www.itl.nist.gov/iad/894.05/docs/CDandDVDCareandHandlingGuide.pdf

 
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
FaceBook at work?
alt 
 
From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.
 
Here is a question from a client:
How should we address web 2.0 and social media in our Computer Terms of Use policy?
 
 
There is no doubt about it Social Media has its good points and its bad points. Businesses can use it to reach their customers better. Local government can use it to better reach it's citizens. Social Media can be used to promote you organization and deliver the information you want to interested parties. Social Media is especially good for local governments who want to promote transparency in government.
 
Social media sites can also help with productivity. I often use FaceBook and other sites for collaborative research on various topics. Most recently I used FaceBook and associated friends to do some research on privacy issues of social media sites.
 
The downside is employees may spend all day on social media sites to the neglect of their work. Social Media sites are addictive, that is why they are a great medium for getting information out fast. In fact, this blog is listed on various social media sites such as blogs, FaceBook, YouTube, Twitter and LinkedIn. As a result of its addictive nature people have found themselves spending hours on social media sites not realizing they have been on the site for hours. At work this could mean the loss of countless hours of productivity.
 
What should organizations do with this dilemma? Do they restrict all access, do they allow unlimited access and hope employees do the right thing? Maybe there is a way to strike a balance between the two extremes.
 
There are two issues to address, one as to whether or not the organization will use social media as a way to communicate to interested parties and second as to whether employees will have access to such sites during work hours and on work computers.
 
Here are three ways to handle the use of social media sites for employees.
 
Option 1
The best case scenario is to have the most liberal approach possible. By that I mean a policy like the following:
 
"Employees are considered professionals and are expected to act professionally, ethically and legally. Employees will be treat as professional. Failure to act professionally, ethically and legally will result in disciplinary action. Employees use of such services should be incidental and not interfere with their normal job duties or deadlines."
 
This policy obviously has a lot of gray area but it provides enough room for reasonable use and restrictions. It gives plenty of room for interpretation and for that reason it should have a training component included with it. For example security awareness training that covers security and privacy issues of such sites and services. You may even consider ethics training similar to that required for CPAs and other professionals.
 
Note: We use this type of management philosophy and Maze & Associates and attorneys often advise a less flexible approach.
 
Option 2
Not all organization can have a policy with that much latitude. Allowing limited access to social media site in conjunction with a more defined policy. In those cases there are a number of considerations you look for in a use policy. If you have use polices they should be reviewed and you should add stipulations for the use of social media sites and services and to what extent they can be used and accessed.
 
Things to consider:
 
  1. Restrictions on posting internal organizational information or confidential information.
  2. Restrictions on cyber stalking and harassment.
  3. Employees should be required to attend training on security and privacy issues related to such sites.
  4. Definition of what is considered reasonable use and reasonable times.
  5. You may be able to track or restrict the amount of time employees use such sites with firewalls and web filtering devices. (If you track internet activity of employees remember that you need to warn them that there is no expectation of privacy for what they do on your systems.)
 
Option 3
Blocking all social media sites is another option but not a very good one. Remember legitimate uses social media sites. Blogs such as this one provide information that can be used by staff in conjunction with their normal duties. In addition, many sites use YouTube to deliver technical training. If you block all such sites you will limit access to information staff may need to complete their tasks efficiently.
 
In addition, restricting access to such site creates a perceived attitude that management does not trust employees to do the right thing. Remember happy employees are more productive than unhappy ones. Not to mention the stress employees feel from police state type of controls. If you can avoid restricting all access your organization will be better off.
 
Conclusion
Whatever path you chose to go down don't ignore the issue. Bring it up, make a decision and implement your approach. If you ignore it, it will become a problem.
 
Remember, if you are reading this blog, you are using social media.

 
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
Question on IT Security Certifications & Career Planning
alt
 
From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.
 
Here is a question from a colleague:
Why would someone certify under CAP or CPP instead of SSCP or CISSP?  Most network engineers would certify under CISSP, correct? 
 
Each of the certifications covers a different set of skills and is made for different job positions. You should determine what job you want and build your resume for that dream job.
 
CISSP, SSCP and CAP are (ISC)2 certifications.
CISSP (Certified Information Systems Security Professional) is a high level tech or a manager certification.
The SSCP (Systems Security Certified Practitioner) is a certification for a tech.
The CAP (Certification and Accreditation Professional) is a specialty certification on National Institute of Standards and Technology (NIST) security framework and designed for management or a NIST/FISMA consultant.   (The Federal Information Systems Management Act (FISMA) requires Federal government agencies to implement information security and NIST standards)
 
The CPP is a certification administered by ASIS International.
The CPP (Certified Protection Professional) is an executive management level certification that traditionally focused on physical security and more recently has added IT security topics. The CPP will focus on topics as broad as terrorism, retail theft prevention, executive protection, armored cars, workplace violence, safety and information security.
 
The government has recognized certification as the best way to determine personnel skill levels.
 
The Department of Defense (DoD) really got the ball rolling on certifications by mandating certification for all staff involved in Information Assurance. DoD Directive 8570.1 actually maps each of the certifications to either technical or managerial and then to levels in each. In addition there are specialty positions, such as auditor, that don’t have levels but have certifications. All DoD part-time or full-time personnel are required to have those certifications by 2010. (70% by 2009)
 
Here is information on the DoD directive:
 
There is talk that certifications like CAP will be added in the near future. Perhaps it was not selected because it was too general on certification and accreditation to fit in with the DoD. However, it is perfect for federal government agencies and anyone that wants to use NIST security standards like State, Local and Tribal governments. (Other organizations too, as NIST can be used by private organizations as well).
 
Some other Federal agencies are using DoD as a guideline for their staff as well. Which is a good idea. In the past hiring managers focused on degrees and experience. The problem with experience is being able to verify that the candidates experience matched the needs of the position to be filled.  This is where certification come into play. A certification demonstrates a the holder has a particular knowledge or set of skills. In the end, you want to have both the experience and be able to demonstrate that experience with relevant certifications.
 
Degrees are a one time event and have the problem of being up-to-date with current technology and practices. For example, is a degree in computer science from 1980 relevant to today’s systems? With technology changing so rapidly any training you have is likely to be out of date; sometimes it is out of date before you have finished the training. The best bet is to combine continuing education with a degree.
 
There are 4 important qualities for a career in Information Technology or Information Assurance (IT Security).
 
1. A Degree, mostly to get you past any hiring manager that place a high value on a degree.
2. Experience, the longer you have been in the field the better.
3. Certifications, as a means to verify your experience.
4. Continuing Education, because this field changes rapidly and you have to keep up.
 
You will have a greater advantage over your completion the more you have in each of these areas.

 
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
More Articles...
<< Start < Prev 1 2 3 4 Next > End >>

Page 2 of 4

Subscribe To Feed

Subscribe to LearnSecurity Blog using your favorite feed reader by clicking here.


Donald Hester Bio


Click here to read Donald Hester's bio.


Facebook

Click here to subscribe to the LearnSecurity Facebook Group.



Latest News

Don't forget PCI DDS § 11.2 requires internal scans as well. We can perform internal scans for PCI compliance. Call today for a quote at (925) 930-0902.
Copyright © 2010 Maze & Associates. Designed by Purple Cow Websites.