Whether you’re a industry giant or a lean-and-mean one-person shop, here are some tips on conducting a data security audit to determine who data flows through your organization and who has access to it.

No related posts.

Here are some tips about customizing your company’s incident response plan.

• Senior management sets the tone for any organization’s commitment to data security. That’s why drafting, coordinating, and implementing your company’s response plan isn’t a job for a newcomer. Designate a well-respected senior executive to head up your response team. Select someone with a reputation for working well with every part of your operation — sales, financial, personnel, information technology.
• Once you’ve put together your response team, have them draft contingency plans for how your business will respond to different kinds of security incidents. Some threats may come out of left field; others — a lost laptop or a root kit attack, to name just two — are unfortunate, but foreseeable.
• Experience sharpens intuition. If your staff suspects a breach, investigate it immediately.
• If you suspect a computer breach, immediately sever the compromised computer’s access to the Internet and to your network. To assess the impact, ask your IT staff to preserve any available network logs, file transfer logs, system logs, and access reports. Investigate if intruders opened files or placed new programs on your computer. Did they release viruses or other malware? By diagnosing the damage and retracing the fraudsters’ steps, you can help your company shore up unanticipated vulnerabilities.
• Consider whom to inform in the event of an incident, both inside and outside your company. You may need to notify consumers, law enforcement agencies, customers, credit bureaus, and other businesses that may be affected by the breach. In addition, about 40 states have laws addressing data breaches. Have that information on file before you need it.

No related posts.

So what does this mean for savvy marketers? Here are some tips on making your privacy policy have some teeth.

• Design your privacy policy with your customers in mind. Just like the rest of your website, your privacy policy should be clear, direct, and easy to understand. Keep technical jargon and legal terminology to a minimum.
• Some online retailers lace their privacy policies with lofty language about how careful they are with customers’ personal information, but don’t back their words up with tough security measures. Statements in your privacy policy are no different from any other advertising claim you make. You’ve got to back them up with solid proof.
• For security-minded consumers, your company’s information security practices are a key factor in their decision to do business with you. So if you decide to modify how you use personal information, it’s important to call customers’ attention to that change in policy. Just editing what you say on your website won’t alert them to your new procedures.
• A company’s privacy policy is only as strong as the staff that implements it. That’s why it’s important to train all employees — including your IT professionals, sales representatives, human resources specialists, and support staff — on how to protect sensitive data. 

No related posts.

• Many companies have special passwords and access numbers for employees to use when they’re off-site. Avoid the temptation to jot them down on a scrap of paper you keep with your laptop. Don’t use shortcut keys to program passwords, access codes, or credit card numbers.
• Before leaving on business travel, check your briefcase, PDA, and laptop for data that shouldn’t go on the road with you. Sensitive information is best left locked in a file cabinet or burned to a CD or flash drive stored securely in your office.
• Ten percent of all laptop thefts occur in airports. Keep your eye on your electronic devices when going through airport screening. Don’t put your cell phone, PDA, or computer on the conveyor belt until the person directly ahead of you has made it through the metal detector.
• A survey of business travelers found that a third of them confessed to sneaking a peek at an airplane seatmate’s computer screen. Defer work on confidential client files until you’re away from prying eyes.
• Ever taken a look at the documents some travelers leave on the computer at the hotel business center? And just think of the sensitive information blurted out during loud cell phone conversations. Remind your employees to keep their guard up in public. You never know who might be listening.It’s a small, small world
• Information on home computers can be just as vulnerable to compromise. Require up-to-date firewall, anti-virus, and anti-spyware protection and the latest security patches on home computers used even occasionally for business. Establish company policies about off-site access to sensitive data.
• Business travelers often are the first in line for the latest electronic device, but need to take care before disposing of the old one. When getting rid of computers, cell phones, or PDAs, deleting files using keyboard commands may not be sufficient because data can remain on a device’s memory. Check with your IT staff to see if there is a “wipe” utility program that can overwrite the memory so data is no longer recoverable.

No related posts.

The best way to protect your business is to systematically identify what information you collect from customers or partners on web registration forms, contracts, service orders, sales and customer services records in both digital and non digital form.  This process should be driven by the creation of a data classification scheme which identifies the sensitivity of this data, the security controls that should be used to manage it, and how long it should be retained.

Going through this process will give you the opportunity to define what data, if any, should be retained for the long term, and what data can be disposed. By keeping only what’s necessary and safely disposing of the rest, you can protect your customers and employees by securing sensitive data in your possession. One tip: Scale down — Keep only what you need for business.

• If you don’t have a valid business reason to collect personal information, don’t ask for it in the first place. Review the forms you use to gather data — like credit applications and fill-in-the-blank web screens for potential customers — and revise them to eliminate requests for information you don’t need.
• Unless you have a legitimate business justification, don’t hold onto customers’ credit card information, including account numbers and expiration dates. Keeping sensitive data longer than necessary creates an unwarranted risk for fraud.
• Sometimes the software used to read credit card numbers and process transactions is preset to store information permanently. Check your settings to make sure you’re not inadvertently keeping more than you need.
• If you must keep information for business reasons or to comply with the law, develop a written records and data retention policy to identify what must be kept, how to secure it, how long to keep it, who’s authorized to access it, and how to dispose of it securely when you no longer need it.

No related posts.

Most businesses adopt a data classification scheme that categorizes information along the following four dimensions:

• Company confidential
• Private
• Sensitive
• Public

A simple scheme like this facilitates improved data security because it clearly identifies and communicates the levels of confidentiality required for all data and the people who should have access to it. For example, a presentation or patent application that is labeled “Company Confidential” is clearly not meant to be distributed outside of a company.

Good data classification schemes should also include a time element that lets data change it’s classification after a specified interval and an owner, who is responsible for maintaining and protecting a specified data type or source.

Neglecting to implement adequate security controls for sensitive information can lead to increased corporate liability and regulatory censure. Without a data classification scheme, a company may treat all information the same, greatly increasing the chance of accidental disclosure or security breaches.

Writing a data classification scheme is not that difficult and I’ve supplied a sample template below that can help you jump start the process. Getting it implemented however, may require a substantial degree of organizational change, so it is best to get the buy-in of senior management before you start that process.

A Data Classification Policy Template

No related posts.

If not, I highly recommend that you write a standard employee termination policy and make sure that your human resources and information technology groups implement it whenever an employee is terminated or leaves your company. This is particularly important if the employee has access to sensitive financial information, customer information, confidential intellectual property or information technology systems, but should be uniformly implemented regardless of the employee’s role.

During the termination process, IT’s focus should be on protecting the data assets of your company from disclosure or inappropriate use and on making sure that the departing employee does not destroy any information required for business continuity including sales leads, customer information and trade secrets.

When you create your employee termination policy, it should include a check list of all the physical, network, computer, and data access privileges that an employee could possibly have. That can be quite a long list, but it’s essential that you document as much of it as possible because it is unlikely that your IT group will have this information centralized and up to date. A certain amount of discovery will be required before or during the termination process and a checklist will ensure that you’ve examined and revoked the employee’s access to all major systems of concern.

In the case of a terminated employee, IT should immediately revoke all computer, network, application and data access the former employee has. Remote access should also be disabled and the former employee should return all company-owned property, including notebook computers and intellectual property like corporate files containing customer, sales, financial or operational information. A careful log should be kept of each of these actions for legal or forensic purposes, including the time/date that they occurred and the name of IT or HR staff member who performed the action.

To get you started, I’ve provided a checklist of the systems and privileges that your IT and HR group should review and revoke upon employee termination.

1. Access to company computers including desktops, laptops and servers.
2. Access to the company’s physical and wireless networks.
3. Access to the VPN gateway.
4. Access to all company email accounts. This may include a personal account as well as one or more group accounts that the individual has access to. If the employee has access to email accounts with shared passwords, the shared password should be changed.
5. Terminate all email or message forwarding to personal devices such as mobile phones.
6. Access to all internal server-based systems. If these are accessed by multiple people using a shared password, the shared password should be changed.
7. Access to all externally hosted applications used by the company including online sales force management, CRM, billing, financial, email marketing, team collaboration and web hosting systems. If these are accessed by multiple people using a shared password, the shared password should be changed.
8. All remote servers that can be accessed outside of the company network, say over the internet. If these are accessed by multiple people using a shared password, the shared password should be changed.
9. Access to voicemail.
10. Access to all company conferencing services.
11. Access to the company credit card. If there is only one company credit card and it’s widely known, you may be SOL. I’d recommend you change the card number and centralize all purchasing to keep this information more secure.
12. Remove the employee’s name from the list of approved contacts maintained by all of your external service or software providers.
13. Access to physical premises, either using a key or remote access card. This may include access to multiple sites.
14. Access to any 3rd party locations where the company has equipment, including remote data centers.
15. Access to remote backups hosted by 3rd party services. This may require some forensic work in old expense reports to determine if the employee was backing up their desktop of laptop using an off site service.

Once access to the information has been revoked, your IT and HR groups should work with the employee’s manager and other departments to determine who will take over the terminated employee’s responsibilities and what information they should have access to. For example, if a sales rep is let go, a sales manager should review the rep’s pipleline and reassign leads or in progress deals to another employee. IT may need to be involved in this process if it requires moving data from one account to another or destroying electronic information if it is deemed worthless and should be disposed of.

No related posts.