Data protection has become an increasing challenge at many organizations. Events such as the loss or theft of customer records, the accidental forwarding of sensitive e-mails, and violations of corporate policies have pushed information-loss prevention to the top of the agenda.
Critical issues facing most businesses include:
- Ensuring regulatory compliance.
- Enforcing appropriate data use and access policies.
- Protecting intellectual property.
The consequences can be enormous, and include:
- Disclosure of trade secrets.
- Loss of customers and their trust.
- Charges of fraud.
Regulatory compliance alone is a particularly critical issue. There are complex laws governing the collection, storage and use of customer data and personal information that could potentially be used to identify, contact, locate or impersonate a customer, employee, patient or other individual who interacts electronically with your organization.
Depending on the type of data your company collects and retains, you may need to hire dedicated information security specialists who are certifiably qualified to protect electronic data. There are a number of qualifications that can provide your data security staff with invaluable information on how to best protect information, including designations as a Certified Information Systems Auditor (CISA) and classification as a Certified Information Systems Security Professional (CISSP).
But even with these certifications, some protection issues may require specialists. For example, if your organization operates abroad, it would more than likely need to engage a qualified firm that knows the protection and privacy laws of the countries in which your organization operate.
With so much at stake, robust data privacy and protection policies are crucial. Evaluate the safeguards your company has in place to protect both its own proprietary information as well as data about the public it deals with. To help in this assessment, here is a checklist of substantial issues to address:
Privacy and Protection Policies
|Does your company have data privacy and protection policies in place?|
|Are the policies owned and updated by suitably knowledgeable data protection specialists within your organization?|
|Does your code of conduct include a section dedicated to the privacy and protection of data?|
|Is there a significant incident response planin place if large volumes of data are lost or stolen?|
|Does the plan include how and when to engage a professional services firm to help respond to a data breach?|
|Should your business choose a qualified firm prepared to assist with potential breaches instead of being forced to find a firm after a breach?|
Employee Communication and Awareness
|Does your business have an information security awareness program that trains employees in ways to be more secure in handling electronic assets?|
|If yes, how is the program delivered?|
|Do employees receive refresher training courses?|
|Does the organization track employees to ensure they complete the required training?|
|Does your enterprise limit access to data based on job requirements?|
|Does your organization have the ability to track and monitor employee use of data?|
|Does the monitoring system identify and alert your organization to unusual activity involving employee use of data?|
|Does your company conduct background checks — including criminal and credit — for new employees?|
|Are the results of those investigations shared on a “need to know” basis?|
|Are background checks applied consistently, regardless of the level of position for which the candidate is applying?|
Customer Web Site Access
|Does your organization validate that individuals attempting to conduct business through your Web site are legitimate?|
|Does your password system create and reset robust customer log-on credentials?|
|If your organization provides customer data to vendors, is the information exchange covered by strong levels of security?|
|Does your enterprise have a response plan for recovering lost or misplaced data?|
|Do your vendors have robust data protection plans to protect your company’s data?|
|Should your enterprise encrypt data and install remote data destruction (RDD) technology on laptops and other mobile devices to be able to remotely wipe data if a device is lost or stolen?|
|Does your organization have a system in place to ensure the name of each laptop user is listed and that the list is frequently updated to reflect equipment renewals and staff changes?|
|Do your termination procedures include a checklist for noting the return of company-owned laptops and other mobile devices?|
Data privacy and protection requires a well thought out and highly structured program. By considering the information on this checklist, your organization can take crucial steps toward securing data. Without a data privacy and protection system in place, your organization runs the risk of losing data that, once lost or stolen, can be exceptionally difficult to recover or replace.