Comprehensive data protection for all workloads
Post Reply
JasonPGTF
Novice
Posts: 8
Liked: never
Joined: Sep 19, 2018 1:29 am
Full Name: Jason Oon
Contact:

ISO 27001 and Veeam B&R

Post by JasonPGTF » Apr 23, 2019 2:31 am

Hi, my company is planning to get ISO 27001 certification. In this standard there's a mention on how IT backup, restore & retain the data, I have no problem coming out with the policies for these. However there's also a mention on data destruction policies, how do I describe this from Veeam B&R perspective? Since all my backups are to disk storage & not tape, I do not have any physical media I can destroy. For each restore point which past it's retention will it still be available on the disk after Veeam has purge it? Is there anyway to recover it?

HannesK
Veeam Software
Posts: 3425
Liked: 409 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: ISO 27001 and Veeam B&R

Post by HannesK » Apr 23, 2019 5:52 am

Hello,
For each restore point which past it's retention will it still be available on the disk after Veeam has purge it?
no - if data is deleted, it's gone
Is there anyway to recover it?
no - if data is deleted, it's gone :-)

Does that help?

Best regards,
Hannes

JasonPGTF
Novice
Posts: 8
Liked: never
Joined: Sep 19, 2018 1:29 am
Full Name: Jason Oon
Contact:

Re: ISO 27001 and Veeam B&R

Post by JasonPGTF » Apr 23, 2019 6:22 am

Hi Hannes,

Yea common sense after deletion data will be gone :lol:

But if I put that down on the policy I'm gonna get some question from the auditors on how do I confirm that data wasn't recoverable or how veeam actually perform the deletion.

HannesK
Veeam Software
Posts: 3425
Liked: 409 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: ISO 27001 and Veeam B&R

Post by HannesK » Apr 23, 2019 6:31 am 1 person likes this post

Hello Jason,
it depends on the operating system / filesystem you are using. You can see the backup files in windows explorer or whatever you use. What we do is a "delete file". As long as it is not overwritten, you might be able to recover on NTFS. For some Linux filesystems, it's harder. Anyway, a repository usually has a lot of IO going on, so chances are high that deleted data is overwritten soon.

Just for curiosity: could you ask your auditor where the deletion question comes from? I discussed ISO 27000 certification questions some years ago with one of the "big four" and they did not mention it.

Best regards,
Hannes

JasonPGTF
Novice
Posts: 8
Liked: never
Joined: Sep 19, 2018 1:29 am
Full Name: Jason Oon
Contact:

Re: ISO 27001 and Veeam B&R

Post by JasonPGTF » Apr 23, 2019 8:38 am

It's actually in 2 of the annex for ISO 27001.My auditor didn't ask yet, our internal audit is somewhere in May, I was planning to mention "Once the backup past it's retention period the backup will be deleted from the storage & the space will be reuse for new backups". Then that thought come into my mind on how do I justify/describe how my backup software remove those old backups.

1. Section A.11.1.2 relates to IT equipment and states that, “all items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use”.

2. Section A.8.3.2: relates to disposal of media and states that, “Media shall be disposed of securely when no longer required, using formal procedures”.

HannesK
Veeam Software
Posts: 3425
Liked: 409 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: ISO 27001 and Veeam B&R

Post by HannesK » Apr 23, 2019 8:46 am

cool, thanks!

well, you could run a tool that overwrites empty disk space with random data. But I'm not sure whether this is a little bit overkill :-)

Post Reply

Who is online

Users browsing this forum: AdsBot [Google], jpdusty and 50 guests