How to Protect Personally Identifiable Information Top Ten Data Security Best Practices
February 2009 by Gordon Rapkin, Chief Executive Officer, Protegrity Corporation
1: Don’t narrow security focus during economic downturns
When IT budgets are slashed it’s tempting to concentrate only on achieving compliance with regulatory requirements in order to avoid fines, other sanctions and bad publicity. The problem is that centring security solely on meeting the bare minimums required to be in compliance ensures that critical data is not secured as comprehensively as it should be. Gambling with data security in a downturn is a particularly risky business — financial pressures logically lead to an increased threat level from those who are hoping to profit from purloined data. Companies should, even in difficult times, work towards comprehensive security rather than simple compliance with regulations.
2: Have a clear picture of enterprise data flow and usage
You can’t protect data if you don’t know where it is. Comprehensive audits typically reveal sensitive personal data tucked away in places that you’d never expect to find it, unprotected in applications and databases across the network. Conduct a full audit of the entire system and identify all the points and places where sensitive data is processed and stored. Only after you know where the data goes and lives, can you can develop a plan to protect it. The plan should address such issues as data retention and disposal, user access, encryption and auditing.
3: Know your data
If the enterprise doesn’t classify data according to its sensitivity and its worth to the organisation it’s likely that too much money is being spent on securing non-critical data. Conduct a data asset valuation considering a variety of criteria including regulatory compliance mandates, application utilisation, access frequency, update cost and competitive vulnerability to arrive at both a value for the data and a ratio for determining appropriate security costs. Specifically gauge the risk associated with employees and how they use the data. If staff are on a minimum wage, transient and/or have low security awareness, the data may be worth more than their pay, so the risk goes up.
Usage also impacts on the level of security required. If the data only exists on isolated systems behind many layers of access control, then the risk may be lower and the security may be more modulated.
4: Encrypt data end-to-end
Best practices dictate that we protect sensitive data at the point of capture, as it’s transferred over any network (including internal networks) and when it is at rest. Malicious hackers won’t restrict themselves to attacking only data at rest, they’re quite happy to intercept information at the point of collection, or anywhere in its travels. The sooner encryption of data occurs, the more secure the environment.
5: Regulation is not a substitute for education
Technology controls should certainly be in place to prevent employees from intentionally or mistakenly misusing data. But it’s important that everyone understands the reasons for the data protection measures which are in place. One of the most positive steps an enterprise can make is to institute ongoing security awareness training for all employees to ensure that they understand how to identify confidential information, the importance of protecting data and systems, acceptable use of system resources, email, the company’s security policies and procedures, and how to spot scams. People who understand the importance of protecting data and who are given the tools that help them to do so are a great line of defence against malicious hackers. The other side of this coin is that people will always find a way to thwart security measures that they don’t understand, or that impact negatively on their productivity.
6: Unify processes and policies
Disparate data protection projects, whether created by design or due to company mergers, almost always result in a hodge-podge of secured and unsecured systems, with some data on some systems encrypted and some not, some systems regularly purged of old data on a monthly basis and others harbouring customer information that should have been deleted years ago. If this is the case within your enterprise, consider developing an enterprise-wide unified plan to manage sensitive data assets with the technologies, policies and procedures that suit the enterprise’s business needs and enable compliance with applicable regulations and standards.
7: Partner responsibility
Virtually all data protection and privacy regulations state that firms can’t share the risk of compliance, which means that if your outsourcing partner fails to protect your company’s data, your company is at fault and is liable for any associated penalties or legal actions that might arise from the exposure of that data. Laws concerning data privacy and security vary internationally. To lessen the chance of sensitive data being exposed deliberately or by mistake, you must ensure that the company you are partnering with — offshore or domestic — takes data security seriously and fully understands the regulations that affect your business.
8: Audit selectively
Auditing shouldn’t be a huge data dump of every possible bit of information. To be useful it should be selective. Selective, granular auditing saves time and reduces performance concerns by focusing on sensitive data only. Ideally, the logs should focus on the most useful information for security managers; that is, activity around protected information. Limiting the accumulation of audit logs in this way helps to ensure that all critical security events will be reviewed.
9: Consider physical security
It seems that every week we hear about the laptop that was left behind in a cab, the DVD disks that were found in the rubbish, the unencrypted backup tapes that showed up sans degaussing for sale on eBay, the flash drive that was used to steal thousands of documents, etc. Doors that lock are as important to security as threat intrusion software. Always consider ’what if this ______ was stolen?’ No matter how you fill in the blank, the question elicits a strategy for physical security.
10: Devise value-based data retention policies
Retaining sensitive data can be very valuable for analytic, marketing and relationship purposes, provided it is retained in a secure manner. Make sure that stored data is really being used in a way that brings real benefits to your organisation. The more data you save, the more data you have to protect. If securely storing data is costing more than its value to your organisation, it’s time to refine your data retention policy.