Can you trust your data recovery vendor?

Pressed for time and money, agencies are often lax about vetting third-party data recovery companies. New NIST guidance seeks to correct the problem.

Many government and private-sector organizations consider recovering data from damaged laptop PC hard drives to be a minor budget item that third-party vendors can best handle. But a seemingly inexpensive fix could lead to compromised or stolen data, network breaches and other security nightmares because organizations typically do not vet data recovery vendors.

The National Institute of Standards and Technology has issued new guidelines to resolve that problem, but it will be at least a year before agencies are required to fully comply with it.

When recovering intellectual property or sensitive documents stored in damaged equipment, major security problems can arise if agencies or companies have not paid attention to vetting data recovery vendors, experts say.

The NIST guidance, which appeared as part of the institute’s Special Publication 800-34 Rev 1, "Contingency Planning Guide for Federal Information Systems," represents a small part of the publication that covers the entire breadth of data recovery procedures for federal agencies, said Marianne Swanson, NIST’s senior adviser for information systems security.


Related coverage:

What customers want from data recovery companies — besides their data back

Cloud computing is not always helpful in data recovery


The section about vetting data recovery vendors consists of a few sentences that state: “Organizations may use third-party vendors to recover data from failed storage devices. Organizations should consider the security risk of having their data handled by an outside company and ensure that proper security vetting of the service provider is conducted before turning over equipment. The service provider and employees should sign non-disclosure agreements, be properly bonded and adhere to organization-specific security policies.”

NIST published the document, a revision to an older version, in June, and agencies have as long as a year to begin implementing its guidelines, Swanson said. 

After NIST releases guidelines, the Office of Management and Budget can mandate them in its policies. If agencies are putting together a new system, they should use the new guidance, but they “don’t have to throw away everything that they’ve done,” she said.

The guidance was inspired by DriveSavers, a Novato, Calif., data recovery firm that conducted a survey that found that few, if any, federal guidelines covered the data recovery industry.

DriveSavers contracted the Reymann Group and Ponemon Institute, which surveyed 636 information technology security and IT support personnel who worked on data security and data recovery operations. The companies presented the survey’s findings to NIST to highlight the security risks posed by sending equipment to unvetted vendors for repair and recovery.

Security should be the first criteria for choosing a data recovery company, but that consideration is often at the bottom of most organizations’ priority lists, said Michael Hall, DriveSavers' chief information security officer. When an organization requests a data recovery, the decision to select a vendor often falls to help-desk or technical support staff members, who are instructed to recover the data as quickly as possible.

“That’s what they base their criteria on — speed,” Hall said. “They don’t even bring into account the security aspect associated with speed. It’s a bad way of going about things.”

That inherent security problem was one reason the firm approached NIST to update the regulations.

Many organizations vet third-party vendors for IT support such as disaster recovery. But those judicious reviews often do not extend to data recovery. Or if an inspection is done, it is not invoked at the right time, Hall said. Organizations should be vetting companies at the start.

“The first chance at a data recovery is the best chance,” Hall said. “They want to make sure that they’re putting their information in someone’s hands who is completely competent, qualified, safe and secure.”

Hall noted that DriveSavers has received Defense Department approval to process information up to the top-secret level. In addition, DOD has listed the company as an approved organization, and all of the company’s certification and information is available on its Web site. However, few customers have asked to vet the company, he said.

“When we get to the point where people ask to vet us, it’s because there’s a very conscientious security officer on the other side, and when they need a data recovery, he doesn’t let the help desk handle it, he handles it himself,” Hall said. “It starts from the top down instead of the bottom up as far as picking a data recovery vendor and what criteria should be adhered to,” he said.

However, top-down participation in vetting data recovery vendors is an anomaly. Hall said the biggest security-related problem he sees is that organizations have inadequately small staffs and budgets. As a result, data recovery is often seen as the least-important problem, even though it could potentially compromise an organization. “Best practices are best practices, and they should be adhered to across the board but particularly in a data recovery environment,” he said.

Paul Reymann, chief executive officer of the Reymann Group, agreed that vetting data recovery vendors is a low priority for most organizations. “This is a weakness or a sleeper risk in not only the overall information security program but in risk assessment methodologies,” he said.

Most information security policies and manuals don't cover data recovery, Reymann said. Those publications might specify where to store data and how to manage the data, back it up and evaluate potential costs of recovering it after a disaster. “But they forgot that you don’t always back up data, and frequently someone will be in a position where their device fails and they have to go to a third party to recover the data. And that’s the sleeper risk — they didn’t really think about it.” 
 
Reymann said unvetted repair and recovery operations might employ personnel with criminal backgrounds, which creates a potential risk for data loss. “It’s outside of the existing information security program of the organization or federal agency because it is such a small item from a budget perspective," he said. "It doesn’t get picked up.” 

Reymann said he hasn't seen third-party data recovery vendors listed as potential high-security risks that require vetting. “This is a perfect example of a low-profile, high-impact threat event,” he said.

Swanson said service guidelines exist to vet vendors that conduct various lines of business with the government, but she is unaware of any that specifically apply to data recovery vendors. She said many organizations that want some accreditation will hire a third party to assess data recovery vendors for compliance with the Federal Information Security Management Act or NIST Special Publication 853, a catalog of security controls and assurances that must be included in information systems processing federal data.

Although the new NIST guidelines are a significant step toward providing a vetting framework for data recovery vendors, stronger vetting standards are still necessary, Reymann said. He said the screening and security process must be applied outside a traditional disaster recovery scenario to handle everyday problems, such as equipment failures. For example, many organizations will not enact a contingency disaster recovery plan if an employee’s laptop crashes the day before a major presentation, he said, adding that vendor vetting should be part of overall agency risk assessment policy guidelines and procedures.

Federal agencies that are seeking data recovery vendors can refer to the General Services Administration's schedules.  However, Reymann said, GSA does not conduct information security background checks. Agencies can also go outside GSA and submit a request for proposals for a vendor. Some vendors will complain that they cannot compete for government business if they must meet due diligence requirements. But Reymann added that although meeting FISMA requirements can be expensive, it is the cost of doing business with the federal government.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.