DriveSavers and the
Shared Assessments Program
Helping Set New Standards
for the Data Recovery Industry
Presented by:
Lynda C. Martel, Director, Privacy Compliance Comm
DriveSavers Data Recovery, Inc.
SA Partner Case Study:
DriveSavers Data Recovery
 Why DriveSavers Joined the Shared Assessments Program
 The Value of the SIG Tool
 The Value of the Partnership
SA Partner Case Study:
DriveSavers Data Recovery
 Why DriveSavers Joined the Shared Assessments Program
 Symbiotic Missions – Create Industry Standards and Guidelines
The Data Recovery Industry:
AKA “The Wild, Wild West”
DriveSavers — Recovering
Critical Data Since 1985
No Recovery Standards
No Security Guidelines
Critical Data At Risk
Lost Files Most Often
Sent Out For Data Recovery
Intellectual Property
83%
Customer Records
61%
Financial/Accounting Data
59%
Photos, Videos
42%
Employee Records
39%
Employee e-mails
30%
Resource: 2012 -- Ponemon Institute Study “Trends in Security of Data Recovery Operations
IT Support Choosing
Data Recovery Vendors
IT Security Not Involved In
Selection/Vetting Process
Data Breaches At Recovery
Companies Are Increasing
Lack of Risk Assessments
Part of the Problem
Resource: 2012 - Ponemon Institute Study “Trends in Security of Data Recovery Operations
SA Partner Case Study:
DriveSavers Data Recovery
 The Value of the SIG Tool
 Specific Vetting Language
NIST SP 800-34 (Rev.1)
“Organizations may use third-party
vendors to recover data……should
consider the security risk….and
ensure that proper security vetting
of the service provider be
conducted before turning over
equipment.”
Source:
Contingency Planning Guide for Federal Information
Systems, Section 5.1.3: Protection of Resources
SIG Tool (V6)
Updated October 2010
“Do third party vendors have access to Scoped Systems
and Data? (backup vendors, service providers,
equipment support maintenance, software maintenance
vendors, data recovery vendors, etc)? If so, is there:
• Security review prior to engaging their services (logical, physical, other
corporate controls)
• Security review at least annually, on an ongoing basis
• Risk assessments or review
• Confidentiality and/or Non Disclosure Agreement requirements
• Requirement to notify of changes that might affect services rendered”
Source:
SIG V6 - Question G4
SA Partner Case Study:
DriveSavers Data Recovery
 The Value of the Partnership
 Education and Awareness Opportunities
 Networking Benefits
 Influencing the Influencers
Opportunities To Educate
Shared Assessments Members
Opportunities to Support
Important New Initiatives
Opportunities to Exhibit
Our Capabilities
SA Partner Case Study:
DriveSavers Data Recovery
 Shared Missions
 SIG Tool Streamlines Our Vetting Requests
 SIG Tool Reminds Companies to Vet Data Recovery Vendors
 SA Membership Generated Valued Business Relationships
 Opportunities to Support Important New Initiatives
 Opportunities to Exhibit our Capabilities and Share our Message
Not All Data Recovery
Companies are Created Equal
SA Partner Case Study:
DriveSavers Data Recovery
THANK YOU!