 Re: data storage security standards?
In article <ruv764p3fuusictmfqlispmushmn7rqv11@4ax.com>,
jerry <no_spam@thankyou.com> wrote:
Please do not snip out attribution lines. The following, which
you did not attribute, was written by David Webb:
>>For general laws on data protection you would need to specify what legal
>>jurisdiction you are operating in
>I deal exclusively with Federal Grants and the grants are specific for
>Research Grants. Our call center attains information from people
>working with our investigators and then the information is stored on
>our servers and then the data is analyses.
Jerry, you missed David's first sentance. Telling us that
you work on Federal Grants does *not* tell us which legal
jurisdiction you are in. Your Usenet Article-ID refers to 4ax.com
which is registered by Forte Internet of Carlsbad California USA,
but that doesn't tell us anything about where 4AX.com is
and doesn't establish that you posted from 4AX.com, and doesn't
establish that 4AX.com is even remotely physically close to the
jurisdiction of interest to you. You -might- be referring to
the United States, but "Federal Grants" could refer to Canada
or to any of several other countries.
You mention "personal information". As such, the strictest
applicable laws might be state (or provincial) laws rather than federal
laws.
You mention Research Grants. As research is often international, you
might be collecting information about EU citizens, in which case the
strictest applicable laws might arise from the EU data protection
directives, which are -much- stricter about the collection of personal
information than the US federal laws. I no longer recall for sure
whether the US eventually enacted laws to be in compliance with the EU
databank requirements; back when I used to know this stuff better, it
was widely understood that the US compliance with the EU privacy
directives was a bunch of "lip-service", laws on paper that the US had
little intention of enforcing, laws that the US would have no qualms
about overriding at the slightest hint of "national security reasons" --
and the mood I encountered was that if any sufficiently large US
commercial interest was noticeably inconvenienced by the EU privacy
laws, that the US government would fight to weaken the EU privacy laws
rather than require the large commercial interest to adhere to the laws.
But I don't know how that all evolved over the last few years.
Servers must be behind two locked doors? I dunno about that. I
used to be responsible for security some "secret"-level information
in Canada (though "secret" is not the correct technical term
in Canada); "personal information" is a level below that
(less strict) in security. Our equipment did not have to be
behind two locked doors: the closest to that was that the applicable
"best practice" indicated that unless there was a Good Reason Otherwise,
the secure equipment should be behind at least two "control points".
In our case, the first "control point" was the security guards at our
enterance -- which did not involve rigid physical security, but
strangers would be challenged and anyone muscling in would be
noticed by security. We were not required to protect against the
possibility of armed invasion, not at that security level.
Our second "control point" was locked doors with keys (or
access codes) issued only on a "need to know" basis. For example,
my boss did not have the appropriate keys or codes because
he did not have a need to -himself- access the security equipment.
If Something Had Come Up then there was an established procedure
by which he could get access, but he would have had to justify it
to other people, and record keeping of any such accesses would have
been mandatory. (If he had, for some reason, ordered me to
give him access, then my orders, from above his level, were to
refuse.)
This need-to-know access and orders from higher levels was not due to
any great sensitivity of what we were doing: it was the standard
procedure for the maximum security level of anything that any of our
people worked with. -Mostly- what we worked with was technologies in
development, maintained as more or less "trade secret" until a patent
decision had been taken on what was developed. There was little of it
that qualified for even the lowest level of government confidentiality
laws.
The first level of the confidentiality laws applied mostly with respect
to accesses our human resources department made to the personnel
databases, since they had access to salary information and home
addresses and the like. Personnel information is classified,
so the appropriate laws kicked in.
The higher level of the confidentiality laws, few people were
involved with. Officially, in Canadian law, when a company
requests that the terms of a contract with a the government be
kept confidential, that confidentiality is treated as being
"information detrimental to Canada" if it should be breached,
requiring noticeably tougher safeguards than (for example)
information about how much each employee earned. Better in
law that someone should break in and manipulate the financial systems
to defraud the government, than that we accidently reveal the
terms of a contract no matter how weakly the contract confidentiality
request was phrased.
But that's Canadian jurisdiction politics, and for all the
information you have given, you might be in (say) Germany,
with very different laws and practices applicable.
 | 
Linear Mode
