[BreachExchange] 10 Important Elements to Corporate Data Security Policies That Protect Data Privacy

[Audrey McNeil]

https://www.smallbizdaily.com/data-security-policies/

Do you have a good corporate data security policy in place? These policies
outline how your data needs to be protected, what areas must be covered,
and even what data should have higher security than others. Without some
kind of policy in place, your company, your employees, and your customers
may all be in danger from hackers and data breaches. It is important to
note that data security and data privacy aren’t always the same, though.
It’s vital to understand this and other distinctions when crafting your
data security policy so that it’s as effective as possible.

Privacy Versus Security

Data privacy is defined as using data appropriately. This means when data
is provided to a company, it’s often done so with the expectation that the
data will be used in one specific way. For example, when customers provide
a business with their credit card information, they expect that data will
only be used to charge their card for the purchases they make and that it
won’t be shared. Companies that sell, share, or disclose information that
was entrusted to them without approval may face harsh FTC fine and other
repercussions. This is also true if the business fails to do their best to
protect information from hackers.

Security, on the other hand, revolves around the integrity, availability,
and confidentiality of your data. It consists of all of the practices and
policies that ensure your data isn’t accessed or used by unauthorized
individuals. Your data security policy needs to cover everything from
collecting information to storing it, using it, and even destroying it when
you do not need it any longer. Part of data security, of course, is to
ensure data privacy. In fact, the end goal of data security policies is to
ensure that any data you collect is kept private.

To that end, here are ten of the most important elements you need to
understand and incorporate into your data security policy in order to
effectively protect your information.

1. Make Everyone Accountable

Do your employees, IT staff, and management know their responsibilities as
far as data privacy and security go? Everyone should know what they need to
do to keep your data protected. Ignorance is often one of the reasons why
data privacy is breached, so include training, reinforcement training, and
updates to new security policies regularly. Employees need to be aware of
that is confidential data, what data is not to be shared outside of the
company, and what data is free to use and share as needed.

2. Have Network services Policies

These policies should outline how employees will access the network from
remote locations, how routers, modems, and switches will be secured, and
how IP addresses will be configured, among other things. Your network
intrusion detection policies should also be included here.

3. Scan for Vulnerabilities

Have you heard of companies hiring hackers to attack their networks? This
is actually a fairly common practice because it lets these companies see
where their vulnerabilities are. While the hackers they hire aren’t out to
steal data, they still do everything they can to circumvent the company’s
security systems. When combined with security intelligence, the company can
see what areas need to be shored up. This should be done more than once,
too—hackers are always learning new methods of attack, so you need to have
your security tested regularly to make sure it holds up to these new
methods.

4. Manage Updates and Patches

Your policy needs to outline how your IT staff will manage patches and
other updates to your software. In some cases, these patches will come from
software providers, but in other cases, your team may need to implement the
code themselves. Make sure this code is developed, tested, and implemented
as quickly as possible after a security vulnerability is discovered.

5. Outline server security configurations

Your data security policy also needs to cover how your operating systems,
programs, and servers should be configured. This policy should outline how
accounts are managed and the password rules that all employees need to
follow. Antivirus programs, malware scanners, and firewall settings also
fall under this part of your security policy.

6. Incident Responses

While you hope that you never have to deal with a security breach, chances
are that you will. When this occurs, you want to have a number of incident
responses for various scenarios. This way, there’s no guess work or panic
involved. You simply reach for your data security policy document, find the
correct response, and implement it. Each response should cover how to
evaluate the breach, how it will be reported internally as well as to the
general public, and how you’ll work to prevent the issue from occurring
again.

7. Acceptable Use

This part of the policy outlines what you consider acceptable use of your
network and the data you collect. Employees need read, understand, and
acknowledge this policy when they join your company. This way, you can be
certain that they have at least received a copy of the policy so that
disciplinary action can be taken if necessary.

8. Secure your network

Make certain you make use of network security intelligence from top
security professionals and even from your competitors to ensure that your
network security is as strong as possible. By participating in network
security intelligence groups and forums, you’ll have access to information
regarding other cyber-attacks. By seeing how hackers are attacking others,
you can learn where you need to defend your network. You can also share
your own security intelligence to help others protect themselves.

9. Audits

By auditing your company, you can make certain that your data security
policy is being complied with. Perform audits on a regular basis, not just
once, and do some of them randomly. You shouldn’t always audit your own
company, either. Find professionals who are global network security
professionals to come in and do an audit to make certain that even your
senior managers are following the rules.

10 . Monitor and Control Accounts

Make sure you know who has access to what data at any given time. Your data
security policy needs to outline who has access to the most sensitive
information, and your IT staff needs to implement this using user roles.
When an employee needs access to sensitive data, they need to be given
access only to the information they need. If they only need that
information for a limited time, permissions need to be revoked once that
time is up.

Likewise, employees who leave the company, whether voluntary or
involuntary, need to have their accounts deactivated immediately. This
prevents the chance that the employee could log in and cause damage or that
their account could be hijacked.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170929/c88c736d/attachment.html>