An organization's data is often its most valuable asset, and keeping it stored safely and effectively is increasingly a commercial and legal imperative. However the process of managing it can be complex, covering not only how it is stored but how to access it securely and communicate it across a wide range of media and devices.
A new International Standard from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27040:2015, Information technology - Security techniques - Storage security, provides detailed technical guidance on how to effectively manage all aspects of data storage security, from planning and design through to implementation and documentation. ISO/IEC 27040 is the only standard that addresses the broad topic of securing entire storage ecosystems, as opposed to focusing on individual point solutions.
The standard includes guidance on mitigating risks of data breaches and corruption, and takes into account new technologies and the complexities of connectivity. It addresses cloud storage and the related secure multitenancy, security for long-term retention of data, and secure autonomous data movement. It also supports the requirements of an information security management system, as described in ISO/IEC 27001:2013, Information technology -- Security techniques -- Information security management systems -- Requirements.
The only international standard to address media sanitization, ISO/IEC 27040 includes materials developed collaboratively with the National Institute of Standards and Technology (NIST) and aligned with the recently published NIST SP 800-88r1, Guidelines for Media Sanitization. It is also the only standard that includes guidance on and cryptographic erasure.
Further highlighting its unique breadth, ISO/IEC 27040 was written with multiple user communities in mind, to be used differently yet effectively by each: storage practitioners and managers; security practitioners and managers; information systems (IS) auditors; consumers/users of storage; storage vendors and solution providers.
ISO/IEC 27040 was developed by ISO/IEC Joint Technical Committee (JTC) 1, Information technology. JTC 1 is a consensus-based, voluntary international standards group that works as a highly productive collaboration between ISO and IEC. More than 3,700 experts from 163 countries come together in JTC 1 to develop mutually beneficial guidelines that enhance global trade while protecting intellectual property. The U.S. plays a leading role in JTC 1, with the American National Standards Institute (ANSI) holding the secretariat and Karen Higginbottom, director of standards initiatives at Hewlett-Packard Company, serving as JTC 1's chair.
The JTC subcommittee (SC) directly responsible for ISO/IEC 27040 is SC 27, IT security techniques; the InterNational Committee for Information Technology Standards (INCITS) administers the ANSI-Accredited U.S. Technical Advisory Group (TAG) to JTC 1 SC 27. Tremendous U.S. industry collaboration and effort, led by INCITS technical committee CS1, went into the development of ISO/IEC 27040, including key contributions from the Storage Networking Industry Association (SNIA); the Trusted Computing Group's Storage Working Group; the IEEE Information Assurance Standards Committee; the OASIS Key Management Interoperability Protocol (KMIP) Technical Committee; the Internet Engineering Task Force (IETF); INCITS committees T10, T11, and T13; the Cloud Security Alliance; ISACA; and the American Bar Association Electronic Discovery & Digital Evidence Committee.