Five Steps to Securing Sensitive Information
Safeguarding sensitive data helps ensure that you meet your obligation to your customers, affiliates, and employees. Here are five simple steps you can take to help ensure protection of your data.
Information Security Tip #1: Inventory Your Assets
Understanding your information assets and access to information is essential to assessing security vulnerabilities. Whether you are an industry giant or a lean-and-mean one-person shop, here are some tips on conducting your own internal investigation.
Inventory all servers, computers, flash drives, disks, and other equipment to find out where your company stores sensitive data. Also include laptops, employees’ home offices, cell phones, and e-mail. No security audit is complete until you check everywhere sensitive data might be stored.
- Interview. Track personal information through your business by talking with your technology staff, human resources office, accounting personnel, and outside service providers. Get a complete picture of who sends your company sensitive data. Do you get it from customers? Call centers? Credit card companies? Banks or other financial institutions? What about affiliates and contractors?
- Forms. How does sensitive data come in to your company? Via your website? E-mail? Through the mailroom? What kind of information is collected at each entry point? Customers’ credit card, debit, or checking account numbers? Do you receive sensitive health or financial data?
- Access. Who has, or could have, access to the information? Which of your employees has permission to look at or view sensitive data? Could anyone else get a hold of it? What about vendors who supply and update software you use to process credit card transactions? Do you have contractors that run your call center, distribution, or fulfillment operations?
- Storage. Different types of data present varying risks. Pay particular attention to how you store personally identifying information such as Social Security numbers, credit card numbers, checking account, or other financial information. Determine if the data you store can facilitate fraud or identity theft if it fell into the wrong hands.
Information Security Tip #2: Less is More
Protect your customers and employees by securing sensitive data in your possession. Keep only what you need for business use. If you don’t have a valid business reason to collect personal information, don’t collect or gather such information. Once you gather information it must be stored, archived, protected, and disposed. By not collecting the information, you save your organization a lot of unnecessary work. Review the forms you use to gather data (applications, fill in web site forms, etc.) and revise them to eliminate requests for information you don’t need.
- Archive. Unless you have a legitimate business justification, don’t store and retain sensitive information. Keeping sensitive data longer than necessary creates an unwarranted risk for fraud.
- Defaults. Sometimes the software you use is preset to store information permanently. Check your settings to make sure you’re not inadvertently keeping more than you need.
- Compliance. Ensure your organization meets required compliance privacy and security requirements.
- Retention. If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify what must be kept, how to secure it, how long to keep it, who’s authorized to access it, and how to dispose of it securely when you no longer need it.
Information Security Tip #3: Procedures
Policies and procedures help you meet your obligation to your customers, affiliates, and employees. Protect your electronic information with these simple steps:
- Physical security. Network defenses can be critical, but when it comes to protecting personal information, don’t forget physical security. Ensure access to network servers is restricted to authorized personnel.
- Encryption. Use encryption to protect sensitive data such as credit card numbers, social security numbers, driver’s license numbers, etc.
- Viruses. Viruses, spyware, and other malware can compromise your systems and your data. Ensure your anti-virus and anti-spyware software is updated on a regular basis.
- Passwords. Most organizations use an ID and password to grant access to your data. Ensure your passwords are long and complex and changed on a regular basis.
- Education. Remind your employees that electronic security is everybody’s business. Hackers certainly pose a threat, but sometimes the biggest risk to a company’s security is an employee who hasn’t learned the basics.
- Access. Provide access to sensitive information only on a “need to know” basis. Have a procedure in place for making sure that workers who leave your employ or move to another part of the business no longer have access to off-limits information.
- Detection. Intrusion detection systems can alert you to breaches in your network security. IT should monitor incoming and outgoing traffic for higher-than-average use at unusual times of the day.
- Patching. Check expert resources like www.sans.org and your software vendors’ websites for alerts about the latest vulnerabilities and vendor-approved patches.
- Providers. Ensure security practices of your contractors and service providers. Before outsourcing business functions, ensure agreements define security requirements.
- Documentation. Organization policies give direction and guidance but generally lack sufficient details to describe how things should be done. By documenting your detailed procedures, your organization can ensures consistent and sustainable protection of your information assets.
Information Security Tip #4: Disposal
Ensure your organization takes the following precautions when disposing of workstations, laptops, USB flash drives, and other devices that may contain sensitive information:
- Delete. Deleting a computer file doesn’t mean that the information has been permanently removed from your system. The data may continue to exist on the computer’s hard drive and could be easily retrieved. Ensure your employees request assistance from your IT department when permanently deleting data.
- Disposal. When getting rid of old computers, laptops, hard drives, portable storage devices, cell phones, etc., use wipe utility programs or physically destroy the media. Wipe utility programs are inexpensive and overwrite the contents so that the files are no longer recoverable.
- Remote. Whether working from home or on the road, ensure telecommuters and business travelers maintain your company’s high security standards. Remind employees and contractors to be as careful when disposing of sensitive documents off-site as they are when creating them.
- Compliance. If you use consumer credit reports in your business, you may be subject to the FTC’s Disposal Rule. The Rule requires companies to adopt reasonable and appropriate disposal practices to prevent the unauthorized access to, or use of, information in credit reports.
- Papers. Effectively dispose of paper records containing sensitive data. Having shredders available throughout the workplace helps ensure employees understand the need to properly dispose of sensitive information.
Information Security Tip #5: Incident Response
Taking steps to protect personal information in your files and on your network can go a long way toward preventing a security breach. Nevertheless, breaches can happen. That’s why Altius IT recommends that organizations have a plan in place to respond to security incidents. Altius IT's tips on customizing your company’s security response plan include:
- Team. Senior management sets the tone for an organization’s commitment to data security. Designate a well-respected senior official to head up your response team.
- Plan. Once you’ve put together your response team, have them draft plans for how your business will respond to different types of security incidents. Sample scenarios may include a lost laptop, servers hacked, internal theft of data, etc.
- Timely. If your staff suspects a breach, investigate it immediately. Waiting days to convene a committee can waste precious time.
- Disconnect. If you suspect a computer breach, immediately sever the compromised computer’s access to the Internet and to your network. To assess the impact, ask your IT staff to preserve any available network logs, file transfer logs, system logs, and access reports. Also investigate if intruders opened files or placed new programs on your computer.
- Contact. Consider whom to inform in the event of an incident, both inside and outside your company. You may need to notify consumers, law enforcement agencies, customers, credit bureaus, and other businesses that may be affected by the breach. In addition, about 40 states have laws addressing data breaches. Have that information on file before you need it.
Network security audits help organizations
identify, manage, and reduce their risks. Formal
policies provide a top down approach to
managing network security risks.