Why store sensitive data if you don't have to?

Before a recent test drive at a car dealership, I was asked for my driver's license. Certainly a reasonable request, but the security spirit inside me had to ask what they do with the information after I leave. I found out they make a photocopy of the license but actually shred it after people leave the premises. Pretty responsible of them I thought. It doesn't mean an insider couldn't be skimming his own photocopies or that someone couldn't forensically retrieve the images off the copier's hard drive. I knew I had to snap back to reality. The practical businessman inside me figured that most people are decent, and odds are everything will turn out fine.

But what would the average business do when this same type of sensitive information is obtained electronically? Be it financial information gleaned during credit card applications, dates of birth used for marketing-related contests, or driver's license numbers used for background checks – sensitive personal information is being taken in and stored in a database somewhere on the network. Sure sensitive information is needed in a lot of business scenarios, but I know it's not every time. It's especially not needed indefinitely, like what happens a lot of the time. Even if

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SQL Server Security The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Securing SQL Server with access control, login monitoring and DDL triggers SQL Server security: Controlling access via database roles Implementing security audit in SQL Server 2008 New security features in SQL Server 2008 leave some work for you Can I encrypt and restore a database backup in SQL Server 2005? FAQ: How to troubleshoot and grant SQL Server permissions Secure SQL Server from SQL injection attacks SQL Server Management A first look at Microsoft SQL Server 2008 R2 Maintaining high availability of SQL Server virtual machines Creating fault-tolerant SQL Server installations Using Microsoft Hyper-V for SQL Server consolidation Scaling up vs. scaling out with SQL Server 2008 Migrating to SQL Server 2008 and leveraging new features Testing a SQL Server environment before an upgrade Does upgrading to SQL Server 2008 fit your business? Meeting business needs with SQL Server full-text search Using dynamic management views to improve SQL Server index effectiveness

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

it's stored temporarily, there are backup tapes, virtual server images, and so on around the network that have potential for keeping this "temporary" sensitive information around indefinitely.

We have this mindset that information is gold and it must be captured and stored electronically. It's marketing at its finest. Get everything we can on everyone we come across. It may benefit the business some day after all, right? But at what cost?

Take a look at your organization's data retention process. Most businesses I see store everything indefinitely. It's easy and everybody's doing it. That still doesn't make it right. Just ask managers, IT staff, and lawyers working for organizations that have made it to the Privacy Rights Clearinghouse list due to a lost tape or hacked database server. Improvements can always be made and things can undoubtedly be handled differently.

Using simple risk analysis, it's obvious the more sensitive information a business captures and the longer it holds onto it, the greater the risk. It's time for most business managers to step back and look at the bigger picture. Does the business really need to capture the information it's capturing? Perhaps a more pointed question is: does the business need to keep that information forever?

Look at your business requirements and processes to see if they can be adjusted so sensitive information is avoided altogether or at least kept for a shorter and more definitive period of time. Try to get the right people involved and working together to find solutions to this growing problem. It'll reduce business risks, minimize database bloat and may even give your servers that extra little oomph you've been looking for.

[TABLE]