Here are some key areas where planners need to be concerned with private and personally identifiable information when creating, updating, and testing disaster recovery plans.
Businesses possess a staggering amount of private and personally identifiable information (PII), not only about their customers, but also about their employees. Under which circumstances and representations was this information collected? How is this information being used? To whom is this information being transmitted? How is this information being stored? Who has access, authorized or not, to this information? Unfortunately, many, if not most, businesses do not know the answers to these questions even under normal business circumstances.
The first order of business following a disaster of any size or type is typically to get the most critical parts of business going again as soon as possible. The concept of “continuous availability” has become more of a norm now than a decade or more ago when it was just wishful thinking. As a result, disaster plans often address speed to recovery with often overlooked information privacy issues leaving real vulnerabilities to the protection of PII.
What Can Go Wrong
Many lessons can be learned from events in recent history that impacted the security of companies’ PII. After the World Trade Center terrorist attack on September 11, 2001, an abundance of papers that survived the attack were scattered around the city, much of them containing PII. This demonstrates that PII during a catastrophic disaster can be uncontrollably lost in the public environment and cannot be accounted for; that systems storing PII can become unaccounted for with no documentation and no persons surviving to identify where copies of PII were stored at other locations; and that, with normal communications lines destroyed, PII can be sent via less secure wireless and public connections during recovery efforts.
Other past events bring up similar issues. For instance, many times after a disaster, ad hoc sites are established to continue business with no physical access security to personal information and computing hardware in place, and systems are restored quickly under emergency conditions that do not restore the restricted access controls to protect PII.
Legal Privacy Requirements
 |
Privacy-related laws worldwide require that organizations restrict access to PII to only those who have a need to know to perform legitimate business activities. When recovering from a disaster, systems and operational facilities are often restored without such granularity of access control with the intent that when activities get “back to normal” the access controls will also be modified to appropriately limit who has access to PII. Unfortunately, following disaster recovery, changes to the emergency mode of computer operations historically have not been restored to more restrictive controls for months and perhaps even years following recovery, if at all. Once a business is back up and running, it is easy to put all efforts toward continuing business as usual and trying to make up the lost time, and not spend resources in going back to more appropriately secure the network. How much time following a disaster is it allowable to not be in compliance with the applicable privacy-related laws, if indeed any time at all is permissible?
The large and aggressive expansion of legal and regulatory initiatives that address privacy considerations include the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the European Union Data Protection Directive, and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). This expanding universe of standards and regulations requires a comprehensive business continuity management program to manage the risks of an organization, help ensure continuous availability of services and products, protect assets, and keep management aware of standards and regulations that may impact the organization in a negative manner if not addressed properly within disaster recovery plans. The global trend is to hold company leaders accountable for noncompliance. Professionals in business continuity, security, and other risk management positions, especially auditors, should be aware of the latest standards and regulations as they carry out their responsibilities.
Controlling Access During Network Recovery
An objective of disaster recovery is to minimize risk to the organization during recovery. This includes minimizing the risk to privacy. For example, if an automated call distribution system is implemented to permit continued operation of the business, it should not expose the company to undue increased risk. The systems must provide a baseline set of access controls to prevent intrusions during the recovery period, and also to ensure adequate identity verification of customers calling to request access to their information.
To help protect privacy during network recovery it is important to know the information repositories containing PII necessary for the recovery effort. To accomplish this it is vital to have in place an inventory identifying the PII used within the company, where it is stored, and who should have access to each PII item.
If wireless, personal Internet, public kiosk, and other types of remote access methods are used as part of the disaster recovery process, or PII is processed from mobile computing devices such as PDAs, laptops, and Blackberry devices, controls must be implemented to ensure privacy and security are not compromised during their use.
Controlling Facilities and Physical Access
One of the most effective means for limiting the damage from a malicious act, which would potentially result in a privacy incident, is to limit access to the recovery data center and its periphery, including the floors above and below the data center and the adjacent areas. Likewise, physical access controls should be implemented to limit entry to communications facilities to authorized personnel only. Of course, the first priority during recovery is to protect human life, so these physical controls must allow those in the temporary facilities ways to exit in an emergency without being locked in.
Communications equipment is often stolen under normal business activity, and the risk of theft during a disaster could increase dramatically. Certain types of computing devices have high resale value, not to mention the value of customer information files stored on the computers. A 2002 study by the Computer Security Institute and the FBI found that the average financial loss for a laptop is $89,000, with only a small percentage of this amount actually relating to the hardware cost. The loss of information and the impact to the privacy of others could be as devastating as the disaster itself.
Many organizations have inordinate amounts of PII on printed documents. Scanning technologies are available for critical documents, and these digitized documents can be stored in a secure offsite location. Such digital representations can then be used to help account for the location of the physical documents following a disaster, and thus help to determine whether the privacy of the associated documents is at risk.
Other physical security issues and considerations that impact privacy include electronic card access systems, closed-circuit television, security guards and hours of coverage, intrusion alarms, restricted access areas, locations of windows and doors, security systems connected to police, fire, and security service, sign-in logs, visitor badges and escort practices, and data classification.
Securing Access to Backup Media
Backup media can contain massive amounts of PII. An organization must establish a process to identify the media that contains PII and clearly detail how privacy and integrity will be managed during recovery.
Workstation-based information is one of the greatest vulnerabilities for most companies. There is so much vital information stored locally on workstations with little or no backup. If individuals have taken the precaution of creating backups, they are typically stored right next to the workstations, creating privacy risks and leaving the company exposed to any type of catastrophic disaster. The company must proactively address this issue through policy and procedures and through providing solutions for creating and storing effective workstation backups.
Disaster recovery planners must decide when and how often to take backups off site. Depending on a the company’s budget and regulatory and contractual requirements, “off site” could be the building next door, a bank safety deposit box, the network administrator’s house, the branch office across town, or a secure media vault at a storage facility maintained by a company that specializes in off-site media storage. After separating the backup copy of PII from the source within the company, organizations must address the accessibility of the off-site copy. For instance, if the copy is at the network administrator’s house, where exactly is it kept? How are the backup media transported to the off-site location? Are secondary backup sites used? If so, how are security and privacy issues addressed there?
Placing Personnel PII in the DR Plan
The personnel on the disaster recovery team often need access to information about most, if not all, of the employees in the company. The information typically shows where to contact each employee and gives an alternate contact number, such as a parent’s or in-law’s house. To preserve employees’ and their alternate contacts’ privacy, controls must be in place and enforced that detail the conditions for using the call and recall lists.
To help address this privacy concern, some organizations keep the personnel contact lists in sealed envelopes. When the recovery leader activates the disaster plan, these envelopes are marked with the date, circumstance, and name of the person accessing the information. Other companies keep the call and recall contact lists on a CD. In such a form it would be accessible to the recovery leader and used on the leader’s computer from which recovery processes are activated or recorded. However, a printout is used, too, in case of dead batteries, corrupted disks, electromagnetic pulse, damage to the computer because of acidic fumes or volcanic ash, or other adverse circumstances.
Controlling Public Conversations about PII
During disaster recovery many businesses not only need to perform work in ad hoc work locations, but they also spend much of their waking days discussing with colleagues the details of the recovery. Often times these discussions happen over lunch, dinner, or coffee at a nearby café; through cell phone discussions while traveling in airports; or while also trying to run personal errands such as buying groceries, taking children to school events, and doing other activities in public spaces.
The amount of confidential information people carelessly divulge over the phone is alarming. Employees in a recovery situation should be reminded to be discrete in their public conversations.
Making Others Custodians of PII
Oftentimes third parties are contracted to assist with the recovery process. Backup media is often stored within a vendor site specializing in such a service. Companies often contract with vendors to use their cold or hot sites for recovery. Some businesses have arranged with other companies to use part of their computer facilities during recovery.
Another aspect is the sharing of information with government and law enforcement after a disaster. For example, after a terrorist attack, a company may be asked to share e-mail messages or access logs with investigators. Organizations must be very careful about sharing information with other businesses and government officials, or with integrating private sector and government databases. There are ways to do it right to help preserve privacy, and ways to do it wrong that jeopardize the privacy of PII.
Third parties may also perform routine activities involving PII, which will be impacted during a disaster situation. For example, if a service bureau is doing payroll, tests should be conducted to ensure the continuity of backup payroll and associated banking information. What exposures to employee privacy were created during the disaster related to payroll processing?
Keep Privacy Considerations in Mind for DR
The above are just a few of the disaster recovery issues that involve privacy concerns. Other issues that have privacy implications include, but are not limited to, how surveillance is used during disaster recovery, the types of investigations that may occur during or following recovery, the disaster recovery promises that exist within the website privacy policy, maintaining privacy during recovery testing, testing recovery scenarios where PII is most at risk, verifying work following recovery to ensure privacy issues were not overlooked during the stress of the recovery activities, and responding to privacy incident disasters, such as stolen customer files from laptops or PDAs.
Leave A Comment
You must be logged in to post a comment.