|
Posted by jerry on June 26, 2008, 12:25 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Can anyone direct me to information pertaining to any laws or
quidlines that are essential to maintaining security for a data
storage array and servers.
I need to find out if there are any laws that pertain to such devices.
For instance I have been told that the servers must be behind 2 locked
doors.
Thanks,
Jerry
|
|
Posted by on June 26, 2008, 1:10 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>Can anyone direct me to information pertaining to any laws or
>quidlines that are essential to maintaining security for a data
>storage array and servers.
>
>I need to find out if there are any laws that pertain to such devices.
>For instance I have been told that the servers must be behind 2 locked
>doors.
>
I doubt if any laws would be that specific. It sounds more like an organisation
specific requirement.
For general laws on data protection you would need to specify what legal
jurisdiction you are operating in and they would be more to do with protecting
the information on the systems than protecting the storage arrays and servers
as such. Legal and Business requirements will focus on maintaining
confidentiality, integrity and availability of the data which will have
implications for physical security of the hardware, OS hardening, patching etc
David Webb
Security team leader
CCSS
Middlesex University
>Thanks,
>
>Jerry
|
|
Posted by jerry on June 26, 2008, 4:48 pm
If you were Registered and logged in, you could reply and use other advanced thread options >For general laws on data protection you would need to specify what legal
>jurisdiction you are operating in and they would be more to do with protecting
>the information on the systems than protecting the storage arrays and servers
>as such. Legal and Business requirements will focus on maintaining
>confidentiality, integrity and availability of the data which will have
>implications for physical security of the hardware, OS hardening, patching etc
>
>
>David Webb
>Security team leader
>CCSS
>Middlesex University
>
>
>
I deal exclusively with Federal Grants and the grants are specific for
Research Grants. Our call center attains information from people
working with our investigators and then the information is stored on
our servers and then the data is analyses.
I hope this sheds a little more light on our needs so I still need to
know where to look for such guidelines on the security of this data
that is collected that contains personal information.
Thanks,
Jerry
|
|
Posted by Walter Roberson on June 27, 2008, 2:05 am
If you were Registered and logged in, you could reply and use other advanced thread options
Please do not snip out attribution lines. The following, which
you did not attribute, was written by David Webb:
>>For general laws on data protection you would need to specify what legal
>>jurisdiction you are operating in
>I deal exclusively with Federal Grants and the grants are specific for
>Research Grants. Our call center attains information from people
>working with our investigators and then the information is stored on
>our servers and then the data is analyses.
Jerry, you missed David's first sentance. Telling us that
you work on Federal Grants does *not* tell us which legal
jurisdiction you are in. Your Usenet Article-ID refers to 4ax.com
which is registered by Forte Internet of Carlsbad California USA,
but that doesn't tell us anything about where 4AX.com is
and doesn't establish that you posted from 4AX.com, and doesn't
establish that 4AX.com is even remotely physically close to the
jurisdiction of interest to you. You -might- be referring to
the United States, but "Federal Grants" could refer to Canada
or to any of several other countries.
You mention "personal information". As such, the strictest
applicable laws might be state (or provincial) laws rather than federal
laws.
You mention Research Grants. As research is often international, you
might be collecting information about EU citizens, in which case the
strictest applicable laws might arise from the EU data protection
directives, which are -much- stricter about the collection of personal
information than the US federal laws. I no longer recall for sure
whether the US eventually enacted laws to be in compliance with the EU
databank requirements; back when I used to know this stuff better, it
was widely understood that the US compliance with the EU privacy
directives was a bunch of "lip-service", laws on paper that the US had
little intention of enforcing, laws that the US would have no qualms
about overriding at the slightest hint of "national security reasons" --
and the mood I encountered was that if any sufficiently large US
commercial interest was noticeably inconvenienced by the EU privacy
laws, that the US government would fight to weaken the EU privacy laws
rather than require the large commercial interest to adhere to the laws.
But I don't know how that all evolved over the last few years.
Servers must be behind two locked doors? I dunno about that. I
used to be responsible for security some "secret"-level information
in Canada (though "secret" is not the correct technical term
in Canada); "personal information" is a level below that
(less strict) in security. Our equipment did not have to be
behind two locked doors: the closest to that was that the applicable
"best practice" indicated that unless there was a Good Reason Otherwise,
the secure equipment should be behind at least two "control points".
In our case, the first "control point" was the security guards at our
enterance -- which did not involve rigid physical security, but
strangers would be challenged and anyone muscling in would be
noticed by security. We were not required to protect against the
possibility of armed invasion, not at that security level.
Our second "control point" was locked doors with keys (or
access codes) issued only on a "need to know" basis. For example,
my boss did not have the appropriate keys or codes because
he did not have a need to -himself- access the security equipment.
If Something Had Come Up then there was an established procedure
by which he could get access, but he would have had to justify it
to other people, and record keeping of any such accesses would have
been mandatory. (If he had, for some reason, ordered me to
give him access, then my orders, from above his level, were to
refuse.)
This need-to-know access and orders from higher levels was not due to
any great sensitivity of what we were doing: it was the standard
procedure for the maximum security level of anything that any of our
people worked with. -Mostly- what we worked with was technologies in
development, maintained as more or less "trade secret" until a patent
decision had been taken on what was developed. There was little of it
that qualified for even the lowest level of government confidentiality
laws.
The first level of the confidentiality laws applied mostly with respect
to accesses our human resources department made to the personnel
databases, since they had access to salary information and home
addresses and the like. Personnel information is classified,
so the appropriate laws kicked in.
The higher level of the confidentiality laws, few people were
involved with. Officially, in Canadian law, when a company
requests that the terms of a contract with a the government be
kept confidential, that confidentiality is treated as being
"information detrimental to Canada" if it should be breached,
requiring noticeably tougher safeguards than (for example)
information about how much each employee earned. Better in
law that someone should break in and manipulate the financial systems
to defraud the government, than that we accidently reveal the
terms of a contract no matter how weakly the contract confidentiality
request was phrased.
But that's Canadian jurisdiction politics, and for all the
information you have given, you might be in (say) Germany,
with very different laws and practices applicable.
|
|
Posted by Chris Mattern on June 27, 2008, 3:56 pm
If you were Registered and logged in, you could reply and use other advanced thread options > Can anyone direct me to information pertaining to any laws or
> quidlines that are essential to maintaining security for a data
> storage array and servers.
There are no laws pertaining to security for storage arrays. There
may be laws pertaining to security for the information *on* the
storage arrays. Without knowing what you're keeping on your disks,
it cannot be said what your legal obligations are.
>
> I need to find out if there are any laws that pertain to such devices.
> For instance I have been told that the servers must be behind 2 locked
> doors.
There is no law that says anything as specific as "2 locked doors". Most
laws will specify in general terms that proper care must be taken, with
industry standards and landmark court cases specifying what that will involve.
Again, it's not possible to say anything specific without knowing what
information you're storing.
>
> Thanks,
>
> Jerry
--
Christopher Mattern
NOTICE
Thank you for noticing this new notice
Your noticing it has been noted
And will be reported to the authorities
|
| Similar Threads | Posted | | New product for secure data storage & email | March 12, 2006, 12:46 pm |
| HPSBMA02121 SSRT061157 rev.1 - HP OpenView Storage Data Protector Remote Arbitrary Command Execution | May 23, 2006, 8:26 am |
| HPSBMA02121 SSRT061157 rev.2 - HP OpenView Storage Data Protector Remote Arbitrary Command Execution | June 8, 2006, 4:19 pm |
| HPSBMA02138 SSRT061184 rev.1 - HP OpenView Storage Data Protector, Remote Arbitrary Command Execution | August 14, 2006, 6:46 am |
| HPSBMA02190 SSRT071300 rev.1 - HP OpenView Storage Data Protector, Local Execution of Arbitrary Code | February 8, 2007, 5:08 pm |
| HPSBMA02138 SSRT061184 rev.2 - HP OpenView Storage Data Protector, Remote Unauthorized Arbitrary Command Execution | October 30, 2006, 2:38 pm |
| HPSBMA02121 SSRT061157 rev.3 - HP OpenView Storage Data Protector Remote Unauthorized Arbitrary Command Execution | October 30, 2006, 2:40 pm |
| HPSBMA02138 SSRT061184 rev.3 - HP OpenView Storage Data Protector, Remote Unauthorized Arbitrary Command Execution | May 8, 2007, 3:12 pm |
| data security | July 19, 2005, 2:39 pm |
| Data security/filtering on field values | May 19, 2005, 8:05 am |
|
XML site map