Safeguarding sensitive data helps ensure that
you meet your obligation to your customers,
affiliates, and employees. Here are five simple
steps you can take to help ensure protection of
Information Security Tip #1: Inventory
Understanding your information assets and access
to information is essential to assessing
security vulnerabilities. Whether you are an
industry giant or a lean-and-mean one-person
shop, here are some tips on conducting your own
Inventory all servers, computers,
flash drives, disks, and other equipment to find
out where your company stores sensitive data.
Also include laptops, employees’ home offices,
cell phones, and e-mail. No security audit is
complete until you check everywhere sensitive
data might be stored.
- Interview. Track personal information
through your business by talking with your
technology staff, human resources office,
accounting personnel, and outside service
providers. Get a complete picture of who
sends your company sensitive data. Do you
get it from customers? Call centers? Credit
card companies? Banks or other financial
institutions? What about affiliates and
- Forms. How does sensitive data come in
to your company? Via your website? E-mail?
Through the mailroom? What kind of
information is collected at each entry
point? Customers’ credit card, debit, or
checking account numbers? Do you receive
sensitive health or financial data?
- Access. Who has, or could have, access
to the information? Which of your employees
has permission to look at or view sensitive
data? Could anyone else get a hold of it?
What about vendors who supply and update
software you use to process credit card
transactions? Do you have contractors that
run your call center, distribution, or
- Storage. Different types of data present
varying risks. Pay particular attention to
how you store personally identifying
information such as Social Security numbers,
credit card numbers, checking account, or
other financial information. Determine if
the data you store can facilitate fraud or
identity theft if it fell into the wrong
Information Security Tip #2: Less is More
Protect your customers and employees by securing
sensitive data in your possession. Keep only
what you need for business use.
If you don’t have a valid business
reason to collect personal information, don’t
collect or gather such information. Once you
gather information it must be stored, archived,
protected, and disposed. By not collecting the
information, you save your organization a lot of
unnecessary work. Review the forms you use to
gather data (applications, fill in web site
forms, etc.) and revise them to eliminate
requests for information you don’t need.
- Archive. Unless you have a legitimate
business justification, don’t store and
retain sensitive information. Keeping
sensitive data longer than necessary creates
an unwarranted risk for fraud.
- Defaults. Sometimes the software you use
is preset to store information permanently.
Check your settings to make sure you’re not
inadvertently keeping more than you need.
- Compliance. Ensure your organization
meets required compliance privacy and
- Retention. If you must keep information
for business reasons or to comply with the
law, develop a written records retention
policy to identify what must be kept, how to
secure it, how long to keep it, who’s
authorized to access it, and how to dispose
of it securely when you no longer need it.
Information Security Tip #3: Procedures
Policies and procedures help you meet your
obligation to your customers, affiliates, and
employees. Protect your electronic information
with these simple steps:
- Physical security. Network defenses can
be critical, but when it comes to protecting
personal information, don’t forget physical
security. Ensure access to network servers
is restricted to authorized personnel.
- Encryption. Use encryption to protect
sensitive data such as credit card numbers,
social security numbers, driver’s license
- Viruses. Viruses, spyware, and other
malware can compromise your systems and your
data. Ensure your anti-virus and
anti-spyware software is updated on a
- Passwords. Most organizations use an ID
and password to grant access to your data.
Ensure your passwords are long and complex
and changed on a regular basis.
- Education. Remind your employees that
electronic security is everybody’s business.
Hackers certainly pose a threat, but
sometimes the biggest risk to a company’s
security is an employee who hasn’t learned
- Access. Provide access to sensitive
information only on a “need to know” basis.
Have a procedure in place for making sure
that workers who leave your employ or move
to another part of the business no longer
have access to off-limits information.
- Detection. Intrusion detection systems
can alert you to breaches in your network
security. IT should monitor incoming and
outgoing traffic for higher-than-average use
at unusual times of the day.
- Patching. Check expert resources like
www.sans.org and your software vendors’
websites for alerts about the latest
vulnerabilities and vendor-approved patches.
- Providers. Ensure security practices of
your contractors and service providers.
Before outsourcing business functions,
ensure agreements define security
- Documentation. Organization policies
give direction and guidance but generally
lack sufficient details to describe how
things should be done. By documenting your
detailed procedures, your organization can
ensures consistent and sustainable
protection of your information assets.
Information Security Tip #4: Disposal
Ensure your organization takes the following
precautions when disposing of workstations,
laptops, USB flash drives, and other devices
that may contain sensitive information:
- Delete. Deleting a computer file doesn’t
mean that the information has been
permanently removed from your system. The
data may continue to exist on the computer’s
hard drive and could be easily retrieved.
Ensure your employees request assistance
from your IT department when permanently
- Disposal. When getting rid of old
computers, laptops, hard drives, portable
storage devices, cell phones, etc., use wipe
utility programs or physically destroy the
media. Wipe utility programs are inexpensive
and overwrite the contents so that the files
are no longer recoverable.
- Remote. Whether working from home or on
the road, ensure telecommuters and business
travelers maintain your company’s high
security standards. Remind employees and
contractors to be as careful when disposing
of sensitive documents off-site as they are
when creating them.
- Compliance. If you use consumer credit
reports in your business, you may be subject
to the FTC’s Disposal Rule. The Rule
requires companies to adopt reasonable and
appropriate disposal practices to prevent
the unauthorized access to, or use of,
information in credit reports.
- Papers. Effectively dispose of paper
records containing sensitive data. Having
shredders available throughout the workplace
helps ensure employees understand the need
to properly dispose of sensitive
Information Security Tip #5: Incident
Taking steps to protect personal information in
your files and on your network can go a long way
toward preventing a security breach.
Nevertheless, breaches can happen. That’s why
Altius IT recommends that organizations have a
plan in place to respond to security incidents.
Altius IT's tips on customizing your company’s
security response plan include:
- Team. Senior management sets the tone
for an organization’s commitment to data
security. Designate a well-respected senior
official to head up your response team.
- Plan. Once you’ve put together your
response team, have them draft plans for how
your business will respond to different
types of security incidents. Sample
scenarios may include a lost laptop, servers
hacked, internal theft of data, etc.
- Timely. If your staff suspects a breach,
investigate it immediately. Waiting days to
convene a committee can waste precious time.
- Disconnect. If you suspect a computer
breach, immediately sever the compromised
computer’s access to the Internet and to
your network. To assess the impact, ask your
IT staff to preserve any available network
logs, file transfer logs, system logs, and
access reports. Also investigate if
intruders opened files or placed new
programs on your computer.
- Contact. Consider whom to inform in the
event of an incident, both inside and
outside your company. You may need to notify
consumers, law enforcement agencies,
customers, credit bureaus, and other
businesses that may be affected by the
breach. In addition, about 40 states have
laws addressing data breaches. Have that
information on file before you need it.
Network security audits help organizations
identify, manage, and reduce their risks. Formal
policies provide a top down approach to
managing network security risks.
Security Blog menu
Tags: information security | data security |