12. Data handling, retention, and storage Flashcards
1
Q
Data handling, retention, and storage
Data Handling
A
- Only trusted individuals should handle data
- Policies should be in place - how, where, when, why
- Logs should show the above metrics
- Administrative control
- Feeds back to the “need to know” Who accessed the data, did they have a good reason to do so?
2
Q
Data handling, retention, and storage
Data Storage
A
- Where is sensitive data kept
- Secure, climate controlled facility, geographically distance location
- When there is a disaster, the tapes are safe from
3
Q
Data handling, retention, and storage
MTD
A
Maximum Tolerable Downtime
- If MTD is 4 hours, it takes 2 hours to restore but 3 hours for backup company to deliver the tapes, this is past the MTD
- Disaster Recovery Plan factors in. Testing, walk through, realisations of possible problems
4
Q
Data handling, retention, and storage
Backup Company - Collecting tapes
A
Reliable & Bonded
- Whomever collects must understand the liability
- Insurance must be in place if the tapes are lost
- Documented list of people whom can collect the tapes
5
Q
Data handling, retention, and storage
Data Retention
A
Should not be kept beyond;
1. period of usefulness
2. legal requirements
- HIPAA or PCI_DSS may require certain retention - 1, 3 ,7 years or indefinitely
- Each industry has its own regulations
6
Q
Data handling, retention, and storage
Credit Card Processing
A
Log of Transaction
NOT actual transaction
- If your business accepts credit cards but are not a credit card processor
- Once data is handed off to credit card processor, business needs to get rid of it