Data protection has become an increasing challenge at many organizations. Events such as the loss or theft of customer records, the accidental forwarding of sensitive e-mails, and violations of corporate policies have pushed information-loss prevention to the top of the agenda.
Critical issues facing most businesses include:
The consequences can be enormous, and include:
Regulatory compliance alone is a particularly critical issue. There are complex laws governing the collection, storage and use of customer data and personal information that could potentially be used to identify, contact, locate or impersonate a customer, employee, patient or other individual who interacts electronically with your organization.
Depending on the type of data your company collects and retains, you may need to hire dedicated information security specialists who are certifiably qualified to protect electronic data. There are a number of qualifications that can provide your data security staff with invaluable information on how to best protect information, including designations as a Certified Information Systems Auditor (CISA) and classification as a Certified Information Systems Security Professional (CISSP).
But even with these certifications, some protection issues may require specialists. For example, if your organization operates abroad, it would more than likely need to engage a qualified firm that knows the protection and privacy laws of the countries in which your organization operate.
With so much at stake, robust data privacy and protection policies are crucial. Evaluate the safeguards your company has in place to protect both its own proprietary information as well as data about the public it deals with. To help in this assessment, here is a checklist of substantial issues to address:
__ Does your company have data privacy and protection policies in place?
__ Are the policies owned and updated by suitably knowledgeable data protection specialists within your organization?
__ Does your code of conduct include a section dedicated to the privacy and protection of data?
__ Is your code of conduct include a section dedicated to the privacy and protection of data?
__ Does the plan include how and when to engage a professional services firm to help respond to a data breach?
__ Should your business choose a qualified firm prepared to assist with potential breaches instead of being forced to find a firm after a breach?
__ Does your business have an information security awareness program that trains employees in ways to be more secure in handling electronic assets?
__ If yes, how is the program delivered?
__ Do employees receive refresher training courses?
__ Does the organization track employees to ensure they complete the required training?
__ Does your enterprise limit access to data based on job requirements?
__ Does your organization have the ability to track and monitor employee use of data?
__ Does the monitoring system identify and alert your organization to unusual activity involving employee use of data?
__ Does your company conduct background checks -- including criminal and credit -- for new employees?
__ Are the results of those investigations shared on a "need to know" basis?
__ Are background checks applied consistently, regardless of the level of position for which the candidate is applying?
__ Does your organization validate that individuals attempting to conduct business through your Web site are legitimate?
__ Does your password system create and reset robust customer log-on credentials?
__ If your organization provides customer data to vendors, is the information exchange covered by strong levels of security?
__ Does your enterprise have a response plan for recovering lost or misplaced data?
__ Do your vendors have robust data protection plans to protect your company's data?
__ Should your enterprise encrypt data and install remote data destruction (RDD) technology on laptops and other mobile devices to be able to remotely wipe data if a device is lost or stolen?
__ Should your enterprise encrypt data and install remote data destruction (RDD) technology on laptops and other mobile devices to be able to remotely wipe data if a device is lost or stolen?
__ Do your termination procedures include a checklist for noting the return of company-owned laptops and other mobile devices?
Data privacy and protection requires a well thought out and highly structured program. By considering the information on this checklist, your organization can take crucial steps toward securing data. Without a data privacy and protection system in place, your organization runs the risk of losing data that, once lost or stolen, can be exceptionally difficult to recover or replace.
Get in touch today and find out how we can help you meet your objectives.