Conducting a Internal Data Security Audit
Effective data security starts with assessing what information you have and identifying who has access to it. Understanding how personal information moves into, through, and out of your business and who has — or could have — access to it is essential to assessing security vulnerabilities.
Whether you’re a industry giant or a lean-and-mean one-person shop, here are some tips on conducting a data security audit to determine who data flows through your organization and who has access to it.
- Inventory all file cabinets, computers, flash drives, disks, internal and outsources applications, and other equipment to find out where your company stores sensitive data. Don’t forget about laptops, employees’ home offices, cell phones, and email attachments. No security audit is complete until you check everywhere sensitive data might be stored.
- Track personal information through your business by talking with your technology staff, human resources office, accounting personnel, and outside service providers. Get a complete picture of who sends your company sensitive data. Do you get it from customers? Call centers? Credit card companies? Banks or other financial institutions? Affiliates and contractors?
- How does sensitive data come in to your company? From your website? Via email? Through the mailroom? What kind of information is collected at each entry point? Customers’ credit card, debit, or checking account numbers? Sensitive health or financial data?
- Who has or could have access to the information? Which of your employees has permission to look at sensitive data? Could anyone else get a hold of it? What about vendors who supply and update software you use to process credit card transactions? Contractors running your call center, distribution, or fulfillment operations?
- Don’t forget copies of sensitive data that are routinely made, such as physical copies of contracts or IT data backups. The more copies of data you keep, the greater the risk that it will be seen by someone who is not on the ‘official’ access list.
- Different types of data present varying risks. Pay particular attention to how you keep personally identifying information like Social Security numbers; credit card, debit, checking account, or financial information; and other sensitive data that could facilitate fraud or identity theft if it fell into the wrong hands.
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
