Data Vaulting (or sometimes known as remote backup service (RBS)) is the process of sending data off-site, where it can be protected from hardware failures, theft, and other threats. Many Credit Unions are now using data vaulting as an effective way to ensure rapid recovery of critical systems in the event of a crisis. Even though the data is stored offsite, keeping the data safe is still the responsibility of the Credit Union regardless of the method or strategy used.
So – should your data vaulting solution be encrypted? Short answer – YES. And lets look at why.
- Well, for starters, it’s required (err, recommended) – To foster adequate data and media handling the data vault provider should:
- Have proper application configuration
- Secure data storage and/or processing
- Adequate access and integrity controls
- Appropriate encryption
- Adequate key management for encrypted data; and Sufficient data retention.
- The FFIEC states that when using a managed service provider the Credit Union has to ensure they are protecting data in transit to avoid a data breach/leakage.
- Additionally, FFIEC guidelines describe protecting data at rest so that in the event of one data breach within a hosted service the other customers are not impacted.
And what about NCUA requirements?
A quick peek at the AIRES IT Examination Checklists shows unequivocally the answer is YES! Examiners will look for evidence that:
- Critical and/or sensitive data in transit is encrypted
- Critical and/or sensitive data at rest (in storage) is encrypted
The use of encryption reduces the probability of unauthorized disclosure of information and can also detect unauthorized changes to information. Securing member data while in storage is as important as when the data is housed on the server. Encryption standards should address data on backup tapes, storage area networks (SAN), and replicated servers.
For more information on data vaulting and securing your critical data, give OGO a call today!