The value of data is increasing. At the same time, so are the risks of improperly securing and storing data and by corollary, the benefits of improving such capabilities. This helps to explain why a growing number of companies are looking more closely into ISO 27001 Information Security Management Certification.
Across the globe, there is an ever-expanding array of agencies just waiting to launch audits of not only your data but of the ways you manage it. It could be customer data inviting a visit from someone representing the EU's General Data Protection Regulation, or it could be healthcare information drawing regulatory attention under the Health Insurance Portability and Accountability Act. Maybe it's data relating to communications with investors and prospects within the Financial Industry Regulatory Authority FINRA 2010: Standards of Commercial Honor and Principles of Trade regulations.
Simply put, companies are also more exposed than ever before. There are myriad factors involved, but a major one has been the seismic transition to work from anywhere business models. With more and more of the workforce operating remotely, applications and data are not as tightly controlled as when it was were traditionally centralized. Again, the risks multiply.
It doesn't matter who you are or what industry you operate in. Even if you or you're not covered by specific regulations, you could still become a defendant within a federal civil case. Should that happen, you will be held accountable, whether you realized it or not, for compliance with data regulations governing litigants within e-discovery. .
In general, as data increasingly becomes the lifeblood of commerce, the risks for its misuse or mismanagement increase --- not only in the eyes of not only regulators and industry watchdogs but also for business owners and investors. Failure to adequately protect, store, and produce data for inspection upon demand by agencies or civil courts can result in fines totaling well into the millions of U.S. dollars. For these reasons, a growing number of companies are looking for greater confidence and rigor in their data practices.
Companies should, of course, take steps to better understand their data-driven business risks and upgrade their practices in terms of data management, security, storage, and retrieval. But the larger the business, the more data it possesses, the larger its remote workforce, the greater its risks.
That's why a growing number of CEOs, board members, and investors into such businesses are seeking greater assurances their data management efforts are keeping up with best practices. This is where an ISO 27001 Certification comes into play. ISO is short for the International Organization for Standardization, a Geneva-based nonprofit organization that since 1947 has been involved in standard-setting across all manner of industries.
ISO 27001 evaluates a business across all aspects of its data-management processes. Certification begins with an internal assessment of current practice. Working with ISO, a company can first find an accredited certification body. This group will in turn move step by step evaluating processes against a set of key performance indicators specifically developed by ISO for information management, security, and storage.
Ultimately a company will achieve a better understanding of its risks and can install the policies and procedures required by an ISO 27001 Certification. Its achievement and maintenance --- the standard requires ongoing assessments --- owners, managers, investors, and others achieve higher assurance that data practices are fully compliant. This certification can also help demonstrate to courts or to regulators that a business has in fact been working to accepted industry standards.
Key elements within ISO 27001 are guidelines, requirements, and best practices for the management and storage of data. Every time one of your employees sends or receives an email, responds in a chat dialog, or comments on any social media whether in-house (Yammer, Slack) or public (LinkedIn), your company has executed a data transaction. In the event of a compliance audit, litigation, or similar investigation, you will be required to provide a full history of the full set of your organization's data transactions.
A major factor within such audits or e-discovery proceedings will be the provenance of your data. You will need to be able to prove who performed and the chronology of the transaction. Any forensic examination will need access to fundamental metadata in order to trace any changes that took place following the initial event. Was the post updated? Was the email forwarded or deleted?
For this reason, data owners must take care to ensure their method of storage prevents tampering with data files. Put another way, your storage system must deliver immutable files, with the leading-edge standard becoming reliant on "write only, read many" or WORM-compliant storage.
Businesses may also be called upon to show that they have adequately backed up their data in multiple locations so as to greatly reduce the risks of massive failure. Then again, certain regulatory bodies may also introduce requirements requiring that data be "sovereign," or in other words, cannot be stored outside of the jurisdiction in question.
The requirements can be stringent. But here at MirrorWeb --- that's what we do. Our focus is on providing state-of-the-art backup, storage, and retrieval capabilities to enable your compliance with the GDPR, HIPAA, FINRA, or for that matter just about any regulator or courtroom that might require you to participate in one or more rounds of forensic e-discovery. So when you're ready to take a closer look at your data-driven risks and opportunities, we're here.
