Compliance scorecard

You may have your own server room within your company's walls, or you may outsource an off-site data center or commit your data to the cloud. Regardless of how and where you choose to keep it, your data is still your responsibility in the eyes of your constituents and customers, and, in many cases, in the eyes of the U.S. government.

While the phrase "data center" does not appear in many federal regulations, it is hiding between the lines in several high-profile rules. Business continuity is one domain in which such hidden requirements abound.

For instance, when Sarbanes-Oxley section 404 talks about the adequacy of internal controls, and when Gramm-Leach-Bliley says financial institutions must "protect against any anticipated threats or hazards to the security or integrity of (customer) records," data center security and business continuity are lying right there under the surface. In laws like HIPAA, which requires an offsite data back-up plan, disaster recovery emergency plan, and emergency mode operations plans, the connection is more obvious.

When business continuity and disaster recovery are required, the data center must be considered. After all, information is king in business; if records are compromised or lost, or if system failures jeopardize your ability to serve your customers, the resulting brand and operational damage can be lasting.

Having an off-site data center could be a boon in a time of disaster, because damage to the facility will not damage the off-site part of the infrastructure. But when you outsource data center operation and management, you must maintain the same vigilance as you would with your own internal server room by building security requirements into your contracts. (This can be more complicated if you engage in cloud computing, where some say the lack of maturity of the product is leading to less effective contractual terms and language than outsourced data center services.)

Here are some continuity issues to consider, whether you outsource, maintain your data center in-house, or use the cloud.

- Have a formal business continuity plan that is regularly revisited, tested and revised as necessary. This is a requirement of standards including NIST and ISO 1799.

- Make sure formal and appropriate policies exist for the handling of emergencies and security events.

- Have data backup off-site so that a disaster in one location will not result in total information loss.

- Ensure redundancy of systems and power.

- Have a reporting process in place to ensure that the appropriate individuals are informed of security and continuity status and concerns.

Marleah Blades is senior editor for the Security Executive Council. For more information about the Council, visit