The thought of “being audited” often evokes fear. Actions taken on stored information, storage infrastructure security and the practices of storage professionals are all subject to internal and external audit. Recently, the specialized nature of IS auditing has extended to include the storage infrastructure, however, auditors with specialized storage skills and knowledge are a limited resource. Auditors are required to be technically competent in the storage area while being aware of the many standards and legal requirements, in addition to security guidelines. That makes them a great asset to our work! As a result, a storage security auditor can provide great benefit to the storage professional and their organization.
Storage professionals maintain information security policies within and around the storage infrastructure; some establish policies and practices, independently, or in concert with others. When we set a security or storage policy, we do so based on our understanding of the requirements, our personal experience and budget constraints. However, is our due diligence enough? This is where the auditor can provide external validation and recommendations (authentication, control, encryption, etc.) in midst of their role as professional skeptic and risk manager.
In this session, we present a client case scenario, review the Storage Security Audit Process and then follow the process in a case study. Our goal is to prepare you for a storage security audit. In addition, we believe that your perspective will change from implementing storage security to designing for secure storage.
After completing this tutorial, you should be able to:
Describe the Storage Security Audit Process
Secure Information Assets in the Storage Systems
Integrate security and governance practices into storage systems and storage infrastructure life cycle and management, including business continuity and disaster recovery
Presented by LeRoy Budnik, CEO of Knowledge Transfer, an Information Systems Auditor, Chairman of the SNIA Storage Security Industry Forum and one of the foremost authorities on data security. His practical approach will keep you out of the headlines.