DATA-08

Is media used for long-term retention of business data and archival purposes stored in a secure, environmentally protected area?

Explanation

This question is asking about how your organization handles the physical storage of media containing long-term or archival business data. 'Media' here refers to physical storage devices like backup tapes, external hard drives, optical discs (CDs/DVDs), or other physical storage formats used for data that must be retained for extended periods. 'Secure, environmentally protected area' means a location that has: 1. Physical security controls (locks, access controls, surveillance) 2. Environmental protections (temperature and humidity control, fire suppression, protection from water damage) This question is being asked because: - Long-term archival data often contains sensitive historical information that requires protection throughout its retention period - Physical media is vulnerable to both security threats (theft, unauthorized access) and environmental hazards (fire, water, temperature extremes) - Regulatory requirements often mandate specific storage conditions for certain types of data - Media degradation due to poor environmental conditions can lead to data loss When answering this question, you should: - Describe your physical storage locations for archival media - Explain the security controls that protect these locations - Detail the environmental protections in place - Mention any compliance standards you follow for media storage - Include information about access controls and logging for these storage areas

Example Responses

Example Response 1

Yes Our organization maintains a dedicated media vault for long-term data retention and archival purposes The vault is located in a secure area of our primary data center with the following controls: 24/7 security personnel, badge access with multi-factor authentication, CCTV monitoring, and access logs Environmental protections include temperature control (maintained at 65-70°F), humidity control (maintained at 35-45%), fire suppression systems (FM-200), water detection sensors, and raised flooring The vault is inspected monthly to ensure all environmental controls are functioning properly Access to the vault requires dual authorization and all access is logged We follow NIST SP 800-53 guidelines for media protection and our storage practices comply with our data retention policy which aligns with regulatory requirements for our industry.

Example Response 2

Yes Our archival media is stored with a specialized third-party vendor (Iron Mountain) that provides secure, environmentally controlled facilities designed specifically for long-term media storage Their facilities feature 24/7 armed security, biometric access controls, comprehensive fire suppression systems, climate control systems maintaining optimal temperature and humidity levels, and seismic reinforcement Our contract with Iron Mountain includes SLAs for environmental conditions and security measures We conduct annual audits of their facilities to verify compliance with our requirements All media is encrypted before being sent to the facility, and a detailed chain-of-custody process is followed for any media retrieval This arrangement has been reviewed and approved by our compliance team to meet regulatory requirements for data retention.

Example Response 3

No Currently, our archival media is stored in a standard office storage room that has basic door locks but lacks dedicated environmental controls While the room is locked and only IT staff have keys, there is no access logging system in place The room shares the building's general HVAC system but has no specific temperature or humidity monitoring for media storage conditions We recognize this as a gap in our security posture and are planning to implement a proper media storage solution in the next fiscal year In the interim, we're mitigating risk by storing our most critical archival data in encrypted cloud storage and limiting physical media to less sensitive information We've documented this as a known risk in our security program and have included it in our remediation roadmap with a target completion date of Q3 next year.

Context

Tab
Product
Category
Data

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron