Perhaps as a result of the Californian law requiring disclosure of security breaches involving personal data on Californian residents, several incidents involving the loss of backup tapes in transit between the primary and backup sites have come to light since 2004. Given the sensitivity and volume of data on the tapes, and the fact that they are being handed to (albeit trusted) third parties for transportation, it is perplexing to discover how few organizations apply encryption ['encoding' and 'proprietary formats' don't count - these are just weasel words], even in financial services. The latest example of this kind of incident involves Iron Mountain Inc., a backup specialist that hit the news over another similar incident a few months before. Why is it that the possibility has escaped otherwise quite comprehensive risk analyses? Presumably it is not explicitly covered by SAS70 or the auditing standards and has simply slipped under management’s radar, until now.
More physical security resources