Best Practices of Offsite Data Storage
Topics:
Facility
Vehicles
Containers
Procedures & Operating Practices
Facility
Location
Facility location should minimize the risk of potential data loss and should meet the location requirements set by industry experts and common sense.
- Away from 100-year flood plain and known fault lines
- Away from statistically high crime and fire areas
- Away from industrial train routes
- Must be accessible to multiple routes for entry and egress
- Must be at least 5 miles from computer location
- Must be in a single-story dwelling
- Entire building must have 100% fire suppression coverage
- Must be access controlled
- Must be in close proximity to police and fire stations
- Must be in low-profile area away from high traffic routes
Construction
Facility and vault construction should minimize the risk of potential data loss and should meet the construction requirements set by industry experts and common sense.
- Must be a single-story building
- Vaults must be constructed above-grade (in-grade is not acceptable)
- Entire building must be a secured/inaccessible facility
- Facility entrance should have a man-trap entry system
- Truck loading area must have a secured, double door entry system
- No water pipes over or under vaulting areas
- No pipes inside vault other than fire suppression and electrical support
- Building housing Vault should be steel-reinforced concrete construction
- Must use industry approved vault doors
- Vaults must meet NFPA fire rating of 4 hours without increasing moisture levels
- Each vault must have a dedicated alarm, environmentally safe and 0 residue fire suppression system and HVAC unit
- Vaults floors must utilize an anti-dust floor agent
- HVAC units must be located outside vault
- Facility must have redundant power supply to protect against power outage
- All racking in vaults must be cross-braced for seismic activity
- Vaults must be certified to protect from all magnetic threats (up to 500 Tesla)
- Administrative areas are separated from the vaulting areas
- Facility must be completely unmarked and assume a low profile
Environment
Facility environment should minimize the risk of potential data loss and should meet environmental requirements set by industry experts and common sense.
- No bulk-paper is to be stored near the media vault
- Each vault must maintain acceptable temperature (60 - 70 degrees F)
- Each vault must maintain acceptable humidity (35% - 45%)
- Temperature and humidity levels must be monitored
- Each vault must be tied directly to an alarm company to detect temperature variances
- Audit records are kept for the temperature and humidity levels
- HEPA filtration system must be employed within vault to avoid cross contamination
Alarms
Facility alarms should minimize the risk of potential data loss and should meet alarm requirements set by industry experts and common sense. Connecting neighbors, if any, should also have alarm protection.
- Facility should have an alarm systems utilizing 2 separate security companies
- Immediate notification / response from authorities is mandatory for all alarms
- Detection of fire, water, motion, sound, vibration, magnetic door contact, window breakage and improper access code entry
- Alarms should use employee codes that are secure
- Alarm systems should provide an audit trail listing of activity
- Closed circuit television monitoring the interior and exterior of the facility
- Each media vault should have a dedicated, fully functioning alarm system
- All alarm systems should have a power back-up
Vehicles
Construction, Environment, Alarms
Vehicles should minimize the risk of potential data loss during transit and should meet data protection vehicle requirements set by industry experts and common sense.
- Each vehicle must be owned by vendor
- Each vehicle must only be used for transporting magnetic media
- Insulated shells, designed to minimize temperature fluctuations must be used
- GPS tracking of the vehicle& cargo must be monitored during transportation
- Each vehicle cargo area must have heating / air-conditioning
- Each vehicle must be equipped with a fire suppression unit
- Vehicles must be completely unmarked
- Vehicles must have mobile phones
- Vehicles must undergo daily inspection/maintenance (logs should be maintained)
- All vehicles must have a self-arming security system
- Vehicles must be locked and armed at all times while unattended
Containers
Containers should minimize the risk of potential data loss and should meet media container standards set by industry experts and common sense.
- Containers should be specific for each media type
- Containers / carts must be locked at all times during transit
- Keys shall be in the possession of the customer
- Containers must be water-resistant, shatter-resistant and fire-resistant
- Containers must have a unique label so not to identify customer or contents
Procedures & Operating Practices
Security/Authorization
Security and authorization procedures should be designed to minimize the risks and exposures of potentially losing critical data and should meet requirements set by industry experts and common sense.
At Vendor Site
- Media must not be co-mingled with other customers; separate drawers in storage racks must be provided for each customer
- Access codes and combinations to vault doors and alarms must only be issued to operations employees whose responsibilities require access
- Vault doors must remain closed at all times and vaults must be alarmed when vacant
- Facility access must be restricted to employees, clients, prospects, and necessary vendors
- All visitors must be escorted by a bonded representative at all times
- Media must only be transported to vendor facility by vendor employees
- Multiple levels of authorization must be used to control who can interact with customer critical records and at what level for both day-to-day interaction and actual emergency situations
- Authorization list must be secured and maintained
- Vendor should supply authorization update forms a minimum of four times a year
- Media should be handled behind closed doors only
- Records transfer between vaults MUST be pre-approved in writing
At Customer Site
- Unique authorization cards and codes indicating each employee's level of access must be utilized
- Authorization cards must be presented prior to any transaction taking place at customer location or a recovery site
- Higher levels of authorization must be used to verify unusual requests or to confirm the release of records to an alternate site during a disaster
- Signatures during media exchanges must be verified in person
Disaster Recovery
Disaster Recovery procedures should reduce the potential risks and exposures of losing critical data and should meet requirements set by industry experts and common sense.
- Vendor must have maximum 2-hour response on local emergency requests
- Vendor must have extensive experience in assisting in actual disasters and test scenarios
- A back-up storage facility meeting industry standards must be available
- Additional vehicles / resources must be readily available in the event of a disaster
- Vendor must have a written DR plan for its own facility
- Vendor must have arrangements to provide offsite storage services from the hot site should the data center have the need to relocate for an emergency situation
- Vendor must be able to provide air transport media containers for flying media anywhere in the United States
Technology
Technology should be used where necessary to enhance the quality of service provided and, if applicable, must be available for sale to the customer.
- Vendor must be able to provide a bar code solution for tape movement
- Vendor must be able to provide electronic file transfer
- Vendor must be able to provide paperless interaction software for customer
Employees
Facilities, vehicles and procedures are useless without quality people who adhere to them without exception. The following employee requirements must be a standard part of the vendor's process.
- Employee selection must include: interview process, reference checks, criminal record check, driving record verification and drug screening (to be performed prior to employment)
- All representatives should be given a monthly performance evaluation to ensure the highest level of service and continue the education process
- All representatives must be bonded
- Employee drug testing must be performed on an unscheduled basis