According to Protecting Personal Information - A Guide for Business,1 a sound data security plan is built on five key principles:
- Take stock - Know what personal information you have in your files and on your computers.
- Scale down - Keep only what you need for your business.
- Lock it - Protect the information that you keep.
- Pitch it - Properly dispose of what you no longer need.
- Plan ahead - Create a plan to respond to security.
This self-assessment tool was developed using the concepts outlined in the Federal Trade Commission booklet Protecting Personal
Information - A Guide for Business.1 It can be used to help identify areas where a data security plan could be improved.
TAKE STOCK
- Has an inventory been completed of all computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers and other equipment to find out where sensitive data is stored?
- Has a tracking system for sensitive personal information been set up? Does it include:
- Who sends sensitive, personal information for the business?
- How the business receives personal information
- What kind of information is collected at each entry point
- Where the collected information is kept
- Who has, or could have, access to the information
SCALE DOWN
- Is there a legitimate business need for all sensitive personally identifying information collected?
- Is there a process in place to destroy this information when it is no longer necessary?
- If you collect social security numbers, is it necessary (i.e. reporting employee taxes)?
- Can an employee or customer identification number be used instead?
- Are electronically printed credit and debit card receipts truncated (shortened)
- Is there a policy in place to retain customer credit card information only where there is a business need for it?
- Is there a process in place to destroy this information when it is no longer necessary?
- For information that is kept due to business reasons or to comply with the law, is there a written records retention policy. Does it identify:
- What information must be kept?
- How to secure it?
- How long to keep it?
- How to dispose of it securely when it is no longer needed?
LOCK IT
Effective data security plans deal with four key elements:
- Physical security
- Electronic security
- Employee training
- Security practices of contractors and service providers
PHYSICAL SECURITY
- Are paper documents or files, as well as CDs, floppy disks, zip drives, tapes and backups containing personally identifiable information, stored in a locked room or in a locked file cabinet?
- Is access limited to employees with a legitimate business need?
- Is there a procedure for controlling who has access (i.e. key control)?
- Are the following requirements in place?
- Are files containing personally identifiable information kept in locked file cabinets except when an employee is working on the file?
- Do employees secure sensitive papers when they are away from their workstations?
- Do employees put files away, log off their computers and lock their file cabinets and office doors at the end of the day?
- Is the building access controlled?
- Are employees informed what to do and whom to call if they see an unfamiliar person on the premises?
- If sensitive information is shipped using outside carriers or contractors, is the information encrypted and an inventory of the information being shipped kept?
- Is an overnight shipping service used that allows for tracking of the delivery?
- Are devices that collect sensitive information (i.e. PIN pads) secured so that identity thieves can’t tamper with them?
- Have these devices been inventoried to ensure that they have not been switched?
ELECTRONIC SECURITY
General Network Security
- Have the computers and servers where sensitive personal information is stored been identified?
- Have all connections to the computers where sensitive information is stored been identified? (These may include the Internet, electronic cash registers, computers at branch offices, computers used by service providers to support network, digital copiers and wireless devices like smartphones, tablets or inventory scanners.)
- Has the vulnerability of each connection been assessed to commonly known or reasonably foreseeable attacks? (Depending on circumstances, appropriate assessments may range from having knowledgeable employees run off-the-shelf security software to having an independent professional conduct a full-scale security audit.)
- Is only essential sensitive consumer data stored on computers with an Internet connection?
- Has consideration been given to the following?
- Encrypting sensitive information that is sent to third parties over public networks (like the internet)?
- Encrypting sensitive information that is store on computer networks (or on disks or portable storage devices used by employees)?
- Encrypting email transmissions within the business if they contain personally identifying information?
- Are up-to-date anti-virus and anti-spyware programs run regularly on individual computers and servers on the network?
- Is there a process in place to check expert websites (such as www.sans.org) and software vendors’ websites regularly for alerts about new vulnerabilities and implement policies for installing vendor-approved patches to correct problems?
- Are there restrictions to employees’ ability to download unauthorized software? (Software downloaded to devices that connect to the network – computers,smartphones and tablets – could be used to distribute malware.)
- Is there a process to scan computers on the network to identify and profile the operating system and open network services?
- If there are unneeded services found, are they disabled to help prevent hacks or other potential security problems?
- Is Secure Sockets Layer (SSL) or another secure connections used when credit card information or other sensitive financial data is received or transmitted?
PASSWORD MANAGEMENT
- Are there requirements for passwords? If yes:
- Are there requirements to help assure that employees use “strong” passwords?
- Do the rules require a mix of letters, numbers and characters?
- Are passwords required to be different than an employee’s username?
- Is there a process in place requiring frequent changes in passwords?
- Is there a policy in place prohibiting employees from sharing their passwords or posting them near their workstations?
- Are password-activated screen savers used to lock employee computers after a period of inactivity?
- Does the system lock out users who don’t enter the correct password within a designated number of log-on attempts?
- Have employees been warned about possible calls from identity thieves attempting to deceive them into giving out their passwords by impersonating members of your IT staff?
MOBILE DEVICE SECURITY
Laptops, cell phones, tablets, etc.
- Is the use of mobile devices restricted to employees who need them to perform their jobs?
- Has an assessment been done to determine whether sensitive information really needs to be stored on a mobile device? (If not, delete it with a wiping program that overwrites data on the device.)
- Have employees been informed of the importance of storing mobile devices in a secure place?
- Have employees been trained to be mindful of mobile device security when travelling?
- Has consideration been given to allowing users only to access sensitive information, but not to store the information, on their devices?
- Have mobile devices containing sensitive data been encrypted and configured so users can’t download any software or change the security settings without approval from the company’s IT specialists?
- Has consideration been given to adding an auto-destroy function so data on a device that is reported stolen will be destroyed when the thief uses it to try to get on the Internet?
FIREWALLS
- Is there a firewall in place to protect computers from hacker attacks while it is connected to
the Internet?
- Has installation of a border firewall where the network connects to the Internet been considered?
- Has consideration been given to using additional firewalls to protect computers
with sensitive information?
WIRELESS AND REMOTE ACCESS
- Have wireless devices like smartphones, tablets or inventory scanners or cell phones that connect to the computer network or transmit sensitive information been identified?
- Has consideration been given to limiting who can use a wireless connection to access the computer network?
- Has encryption been considered to make it more difficult for an intruder to read the content
on the network?
- Do you use a VPN when accessing company resources on a pubicWi-Fi?
DIGITAL COPIERS
- Have steps been taken to protect the data on the hard drive of digital copiers?
- Have the following safeguards been considered?
- Is IT involved in the purchase to help assess data security?
- Are security features of the copier being used?
- Is the entire hard drive being securely overwritten at least once a month?
- Is the hard drive removed and destroyed when disposing of a copier? If not, has the data on the hard drive been overwritten
DETECTING BREACHES
- Do you have an intrusion detection system on the network?
Is it updated frequently to address new types of hacking?
- Is a central log file of security-related information maintained to monitor activity on the network to help spot and respond to attacks?
- Do you monitor incoming traffic for signs that someone is tryingto hack in?
- Is outgoing traffic monitored for signs of a data breach?
- Is there a breach response plan in place?
- Is the breach response practiced on a regular basis?
- Does the plan address data loss due to ransomware attacks?
EMPLOYEE TRAINING
- Before hiring employees, are reference checks and/or background checks run on those who will have access to sensitive data?
- Do new employees sign an agreement to follow the company’s confidentiality and security standards for handling sensitive data?
- Are employees regularly reminded of company policy—and any legal requirement—to keep customer information secure and confidential?
- Is access to consumers’ sensitive personally identifying information limited to employees with a “need to know”?
- Is there a procedure in place for ensuring workers who leave or transfer to another part of the company no longer have access to sensitive information?
- Are passwords terminated, keys and identification cards collected as part of the check-out routine?
- Is ongoing employee training conducted? Does the training include:
- Employees at satellite offices, temporary help and seasonal workers?
- Recognizing security threats?
- Company policies regarding keeping information secure and confidential?
- The dangers of spear phishing—emails containing information that makes the emails look legitimate?
- Phone phishing?
- Notification of potential security breaches,such as a lost or stolen laptop?
- Dangers of transmitting sensitive personally identifying data—Social Security numbers, passwords, account information—via email.
SECURITY PRACTICES OF CONTRACTORS AND SERVICE PROVIDERS
- Have contractors and security providers’ data security practices been evaluated?
- Do contracts address security issues for the type of data the service providers handle?
- Are service providers required to notify the company of any security incidents they experience, even if the incidents may not have led to an actual compromise of data?
- When using a service provider for storage (email or files), does the contract outline an offloading process for data if the contract is not renewed?
- Is there a plan in place to address operations if the service provider is unavailable due to a service outage or data breach?
PITCH IT
- Have information disposal practices to prevent unauthorized access to - or use of - personally identifying information been implemented?
- Are paper records disposed of by shredding, burning or pulverizing them before discarding?
- Is data on old computers and portable storage devices securely erased before disposal?
- Are employees who work from home (or remotely) following the same procedures for disposing sensitive documents and old computers and portable storage devices?
PLAN AHEAD
- Is there a plan in place to respond to security incidents?
- Is there a senior staff member designated to coordinate and implement the response plan? Does the plan address the following:
- Disconnecting any compromised computer immediately from the network?
- Investigating security incidents immediately to take steps to close off existing vulnerabilities or threats to personal information?
- Whom to notify in the event of an incident, both inside and outside the organization?
- Does the plan in place include verification of the quality of backed up data and testing of the data restoration?
Consumers, law enforcement, customers, credit bureaus and other businesses that may be affected by the breach may need to be notified. In addition, many states and the federal bank regulatory agencies have laws or guidelines addressing data breaches.1 It is strongly recommended that an attorney be consulted.
Additional Resources
United States Computer Emergency Readiness Team (US-CERT)
OnGuard Online (computer security tips, tutorials and quizzes)
Digital Copier Data Security:A Guide for Businesses