Data Protection
We are currently going through a fairly large project internally, and part of this is a “risk register” against the business. Now this includes a lot more information than just simply data on disk, but also people, reputation and so on. For me, now that I have started this project, that is a key part of data protection.
It’s an interesting topic, and something that I’d like to share with you at this early stage in my own project as it makes you look at the storage aspects in a different light.
What affects a piece of data’s risk class?
-
Who has access to it?
-
How confidential is it?
-
Does it have a tangible value?
-
How portable is it?
-
Could it potentially damage the business reputation?
-
Is it protected?
-
… probably a lot more!
Some of these are all questions we already have asked about the data sets as we need to define snapshot, replication and tape policies, but data protection goes a lot further than just this. Interestingly the Zemanta plugin for my blog has linked “data protection” with “Information Privacy”, which is a key point!
Who has access to it?
Not just from a front-end authorised point of view, although you do need to know this. Payroll for instance, generally it would just be HR and Accounting that have access to this, but is there a mechanism for anyone else to gain access to it? If so, is there any audit control to check who has been granted access, or who has gained access? The audit control is almost more important than the security in the first place. Security can and will always be broken, but if you can prove it was broken, then you can fix it!
