Internal Auditor’s Checklist: Eight Points to Validate Data Backup Security

Data backup and storage security

Imagine this scenario: Your organization is hit with a sophisticated ransomware attack. The team reluctantly agrees to pay the ransom (in bitcoin, of course) and your data-recovery efforts spring into action to get the organization back up and running. But to everyone’s horror, much of the data is missing and back-up systems appear to be compromised, making them unreliable.

It’s not a far-fetched depiction. In fact, according to a recent survey by cybersecurity firm Sophos, just 8 percent of organizations manage to get back all of their data, even after paying a ransom. Furthermore, the average cost of recovery from a ransomware attack has more than doubled in a year, according to the same survey.

A ransomware attack can be crippling to an organization, even those with the most robust cybersecurity systems. But those without properly functioning storage and data backup systems are in for an even bumpier ride. With the increased number and sophistication of ransomware strikes, it’s not a matter of if your organization will face an attack, but when. And when it does happen, your ability to recover clean and up-to-date backup files is your last line of defense.

The vast majority of critical data is stored in storage systems. In fact, one storage system is equivalent to about a thousand servers. Cybercriminals can circumvent many existing protection layers, to do great harm, including stealing data, tampering with sensitive records, and destroying your data and its backups.

According to NIST Special Publication  800-209 Security Guidelines For Storage Infrastructure, organizations are required to: “Periodically and proactively assess configuration compliance to storage security policy… This includes making sure the actual configuration meets the storage & backup security baselines and identify gaps.”

To complicate matters, compliance with IT best practices is a moving target. In November 2022, ISO published ISO/IEC 27001, the world’s best-known standard for information security management systems, which includes the following requirement: “Control backup copies of information. Software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.”

In June 2023, ISO will be publishing ISO/IEC 27040, a new standard dedicated to storage and backup security. This includes the following critical requirements: “Actively manage the security posture of the storage technology and protection mechanisms… Perform regular security threat assessments to evaluate security readiness… All operating systems, hypervisors and applications should be hardened relative to the use of the storage system.”

It’s not surprising internal auditors and IT auditors are now paying closer attention to the security of enterprise storage and backup systems, and failure to show effective risk controls may lead to severe penalties.

An Eight-Point Data Backup Checklist

A ransomware attack is a horrible time to discover that your backups are not secure. So to help, here’s an eight-point checklist to determine whether your organization’s storage and backups are sufficiently secured and your organization’s data are fully protected.

1  Do your security incident-response plans include cyberattacks on your storage and backups?  If so, what’s included?

  • Recovery from a complete wipe of a storage array
  • Recovery from a complete corruption of the SAN fabric configuration
  • Recovery from ransomware

2  Is there a complete inventory of your storage and backup devices, that includes the current security status for each one?

  • All backups, archive environments, storage arrays (block, file, object), and SAN switches
  • Storage software versions (storage OS, firmware deployed), and, in particular: patching status, known CVEs, and actual resolution status
  • What is backed up? Where? How?
  • Which storage & backup protocols are allowed? Are all obsolete and insecure protocols disabled

3  Is there comprehensive and secure event logging and auditing of your storage and backups?

  • Including: central log services, redundant and tamper-proof records, and redundant and reliable time service

4  Are you able to audit the configuration changes?

  • For example, what changed and when – in device configuration, storage mapping, and access control?

5  Is there a well-documented, and enforced separation of duties for your storage and backups?

  • For example, separate admins for storage, backup, and disaster recover in each environment

6  Are all storage and backup administrative-access mechanisms documented?

  • For example, which APIs are open, how many central storage management systems can control each storage device, and are there any servers or OS instances that can control storage

7  Are existing mechanisms for ransomware protection, air-gapping, and copy-locking used?

  • Is there an audit process to verify they are correctly deployed at all times?

8  Is the security of your storage and backups regularly audited?

  • Does this audit process include: SAN communication devices, storage arrays (block, file, object), server-based SAN, and backup?

Take the two-minute Ransomware Resiliency Assessment for Storage and Backups, and get your own maturity score and practical recommendations – to help protect your data, and ensure recoverability.   Internal audit end slug


Doron Pinhas is Chief Technology Officer at cybersecurity firm Continuity. He has over 20 years of experience in data and storage management and is the co-author of the recently published NIST special publication: “Security Guidelines for Storage Infrastructure.

Leave a Reply

Your email address will not be published. Required fields are marked *