As explained in the first part of this account, many banks suffer from a managerial perception that when company electronic devices get damaged or otherwise malfunction, the recovery of the data on those devices is handled in-house-when in fact, the devices are routinely shipped by bank tech staff to third-party vendors that specialize in such recovery.
Lynda Martel, executive director, DriveSavers Data Recovery Inc., gave a chilling presentation at the ABA Risk Management conference in which she shared survey results, along with her company's own experience, that conclude that such perceptions put the banks at risk for security breaches.
"We know this to be true," she said to the audience of bank risk managers, none of whom took exception. She said her company annually receives up to 25,000 malfunctioning computers, laptops, and mobile devices, primarily from financial services, medical, and government entities. Other data indicate that the four largest such vendors account for only 10% of the data recovery industry's total revenues of $1.5 billion.
Which means, she says, that there are a great many newcomers to the field, many of which may not know of, much less adhere, to the stringent security rules imposed on banks by regulators. If they do, there's no guarantee that their facilities are as local as they seem from their websites.
"Do a search for ‘data recovery services.' Depending on where you are, the search will show vendors who appear to be nearby," Martel says. "In reality, they tend to have offices in various cities, from which they'll ship your devices somewhere else for actual service." Techs sometimes seek to use the closest vendors-or at least those that seem to be close-in order to meet time restraints on work orders received through their company, she says.
This is important to know because data recovery requires very sophisticated and expensive facilities, including NASA-style clean rooms, and specially trained technicians.
Another issue, she says, is that some of the startup data recovery vendors simply use off-the-shelf software that may only be able to work on the most simple recovery work. For the more complicated cases, they typically send them to companies like hers.
"We know this because we'll get the device and when we shake it, we'll hear loose screws rattling inside, indicating that it has been opened. We really get the worst of the worst," Martel says.
Martel points out that while there are plenty of regulations that apply to data security in general-for example, Sarbanes Oxley, Gramm-Leach-Bliley, HIPAA, and guidance from regulators-few specifically deal with data recovery. She cites only two:
• National Institute of Standards and Technology SP#800.34 Rev. 1, Section 5.1.3, paragraph 5: "Organizations may use third party vendors to recover data from failed storage devices. Organizations should consider the security risk of having their data handled by an outside company and ensure that proper security vetting of the service provider is conducted before turning over equipment. The service provider and employees should sign nondisclosure agreements, be properly bonded, and adhere to organization-specific security policies."
• Shared assessments Group-SIG Risk Assessment Tool-Version 6, Section G, Communications and Operations Management Section:
"G.4-Do third party vendors (backup vendors, service providers, equipment support maintenance, software maintenance vendors, data recovery vendors, etc.) have access to [damaged] system and data? If so, is there:
G.4.1 security review prior to engaging in their services (logical, physical, other corporate controls)?
G.4.2 security review at least annually, on an ongoing basis?
G.4.3 risk assessment or review?
G.4.4 confidentiality and/or nondisclosure agreement requirements?
G.4.5 requirement to notify or changes that might affect services rendered?"
One key action to take, she says, is to visit the potential data recovery vendor to see its facilities and to get a sense of its professionalism. That's part of the recommended mitigation steps, as follows:
• Conduct a gap analysis. Find out if there is a disconnect between what is perceived and what actually is happening. Do failed drives get sent to a data recovery vendor, and under what circumstances? Is an incident report filed? Who chooses the data recovery vendor? Does the type of data to be recovered drive the vendor selection criterion? What is the current audit and assessment processes for data recovery vendors? Are the vendor's security protocols vetted before engaging their services?
• Revise internal and external policies and procedures where needed. If the gap exists in the organization, determine what internal policy, procedures, and practice need to be revised. Internal policies and procedures, business continuity, disaster recovery, and incident response plans should address the use of data recovery service providers. Policies and guidelines should be established within the enterprise for vetting a data recovery service provider. Criteria for selecting data recovery vendors and the required supporting proof should be specified.
• Develop and operate enforcement mechanisms. Define documented and repeatable business associate risk management processes to address drive failure, data loss, and the use of third party recovery vendors. Conduct mandatory annual security reviews of data recovery service providers. Develop and deploy employee training and awareness programs to ensure sensitive and confidential data are protected throughout the data loss and data recovery process. Establish strong enforcement practices for failing to adhere to the organization's policies.
• Modify contracts with third party vendors to align with internal changes. Any internal changes to the policy and procedures regarding the use of third party data recovery vendors should be mirrored in contractual arrangements with high-risk vendors that handle the organization's sensitive and regulated data.
• Ongoing monitoring of the third party data recovery vendors. Data recovery vendors may require some special consideration for ongoing monitoring. These should include: annual review of audit reports and certification documents to verify they are up to date; assurance that the vendor complies with industry-mandated data privacy/security guidelines; annual on-site quality assurance reviews; periodic analysis of the vendor's financial condition; assessments of compliance with contract terms; testing the vendor's business contingency planning; evaluating adequacy of the vendor's training to its employees; periodic meetings with the vendor to review contract performance and operational issues; anonymous testing of vendor's service capabilities.
The good news, Martel says, is that "the solution to this high-impact risk requires policy and procedural changes only and is low in cost."