Standards Watch: Storage Security Update

The world of storage security standards continues to evolve. In fact, it can be hard to keep up with all that’s happening. Here’s a quick recap of SNIA’s involvement and impact on some notable storage security work – past, present and future.

The Storage Security ISO/IEC 27040 standard provides security techniques and detailed technical guidance on how organizations can define an appropriate level of risk mitigation by employing a well-proven and consistent approach to the planning, design, documentation, and implementation of data storage security. SNIA has been a key industry advocate of this standard by providing many of the concepts and best practices dating back to 2006. Recently, the SNIA Storage Security Technical Work Group (TWG) authored a series of white papers that explored a range of topics covered by the ISO/IEC 27040 standard. 

At the recent ISO/IEC JTC 1/SC 27 (Information security, cybersecurity, and privacy protection) meeting, there were several developments that are likely to have impacts on the storage industry and consumers of storage technology in the future. In particular, three projects are worth noting: 

  • The first is ISO/IEC 27050-4 (Information technology — Electronic discovery — Part 4: Technical readiness), which includes guidance on data/ESI preservation and retention that was derived in part from the SNIA Storage Security: Data Protection White Paper; this project progressed to draft international standard (DIS) and is expected to be published in early 2021. 
  • Next, steps were taken to restart the revision of the ISO/IEC 27031 (Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity) with an initial focus on what constitutes ICT readiness; recent events (i.e., Covid-19) have highlighted the need for this readiness. SNIA has an obvious interest in this area and anticipates offering contributions. 
  • Last, but not least, work has started on the revision of the ISO/IEC 27040 (Information technology — Storage security) standard. The decision to include requirements (i.e., allowing for conformance) has already been made and will likely increase the importance of the standard when it is published. 

SNIA has published several technical white papers associated with current ISO/IEC 27040 standard and it is expected that SNIA-identified issues and suggestions will be addressed in the standard. For example, concerns raised about the staleness of the media-specific guidance for sanitization has already resulted in IEEE initiating a project authorization request (PAR) for a new standard focused just on Storage Sanitization.

Interested in getting involved in this important work? You can contact the SNIA Storage Security TWG and/or the SNIA Data Protection and Privacy Committee by sending an email to the SNIA Technical Council Managing Director at tcmd@snia.org.

Leave a Reply

Your email address will not be published. Required fields are marked *