SNIA’s Security Technical Work Group (TWG), working through the U.S. National Body, served as a key storage industry contributor during the standard’s development. The TWG’s subject matter experts submitted and published works to help ISO/IEC JTC 1/SC 27 deliver a usable standard. The Security TWG has now shifted its focus to complimentary materials that will further enhance adoption of the new standard.
SNIA’s Security Technical Work Group has developed an Index for the ISO/IEC 27040:2015 standard, which is perfectly aligned with the published standard and can be used to quickly locate terms and concepts throughout the standard.
While often overlooked, storage security is relevant to anyone involved in owning, operating or using data storage devices, media or networks. Published in January 2015, the ISO/IEC 27040:2015 Information technology - Security techniques - Storage security standard provides detailed technical guidance how organizations can define an appropriate level of risk mitigation by employing a well proven and consistent approach to the planning, design, documentation and implementation of storage security.
“As data breaches persist, organizations are scrambling to find additional ways to protect their systems and data,” said Eric Hibbard, Chair of the SNIA TWG and ISO Editor for ISO/IEC 27040:2015. “Storage security is often overlooked and may be pressed into service as a last line of defense. ISO/IEC 27040:2015 provides the details that can help accomplish this.”
Considered a “guidance” standard, the ISO/IEC 27040:2015 is expected to increase visibility of storage security, drawing the attention of security and audit communities and expanding the expectations for storage professionals. The standard was designed to be easily implemented and includes materials that can assist a phased approach of implementing storage security controls.
SNIA’s Involvements in Security Standards
In addition to ISO/IEC, SNIA collaborates with a number of other external security industry organizations such as the American National Standards Institute (ANSI), International Committee for Information Technology Standards (INCITS), American Bar Association (ABA), Cloud Security Alliance, (CSA), Distributed Management Task Force (DMTF), Internet Engineering Task Force (IEFT), Organization for the Advancement of Structured Information Standards (OASIS) and Information Systems Audit and Control Association (ISACA) to develop a core body of knowledge for storage professionals to leverage.