Your company should have a security plan that respects data privacy and protects sensitive data. Whether you have an in-house IT team or hire an IT managed security service partner, you should build a plan to help protect personal information.
There’s no one-size-fits-all solution in managed security services because it’s dependent on the types of data your business has and your industry. But whatever your business, you need to have data security services that include effective methods to reduce your business’ risk of costly litigation, business closure, damaged brand image, and other consequences of data breaches.
According to the FTC, “the most effective data security plans deal with four key elements: physical security, electronic security, employee training, and the security practices of contractors and service providers.” In the following, we share some of our recommended initial steps to take when designing and implementing a data security plan that respects data privacy and safeguards data.
Take Inventory.
One of the first steps is to understand the journey of data through your business. Be able to list how data are collected, which departments and systems collect data, and what data they collect and store. Data collection happens across all channels for the various needs of your business, so gather your business leaders from each department to get an accurate picture of how, where, and what data are collected.
Accounting, marketing, service, sales, HR, and IT are among the most common departments to collect, store, and use data. You can walk through your customer journey to identify the ways in which a consumer can share their personal data with your company, including email, chat, social media, apps, call center interactions, and print (direct mailing/faxing a document). When evaluating systems, consider if someone is likely to use a system to share sensitive information even if your business didn’t ask for the data, such as in comments fields. In your inventory, find out how long the data are stored, how they are stored (are they encrypted?), and what data are stored, because sensitive or personally identifiable information (PII) needs to be handled differently.
Next, you need to understand the types of data that are shared, stored, backed up, or purged.
Identify the Types of Data.
With your up-to-date inventory on how your data are collected and the location of the data, the next key step is to identify the types of data to which you have access. This step is important because if you have PII, such as Social Security numbers, credit card information, and health information, those data bring risk and are common targets for data theft. There are statutes that require companies to provide reasonable security to protect sensitive data including the Federal Trade Commission Act and the Fair Credit Reporting Act. To learn more, visit https://www.ftc.gov/tips-advice/business-center/privacy-and-security.
It’s important to evaluate which pieces of information are reasonable for your business to collect and what the reasonable length of time is for a business to keep those data. Don’t store and protect data unless your business needs them; otherwise, you raise the risk of data theft.
Identify Access.
Once you have a complete inventory of where, how, and what types of data you have, the next key step is to identify who has access to the data. You should work with your departments to track who has or could have access to personal information. Keep in mind that permissions, shared software, vendors, and contractors might all come into play.
Establish Policies.
Now that you know who has access, it’s paramount for you and your business leaders to work with your internal team or IT partner to design and implement employee policies, and then ensure employees follow the policies. Data security plans are built based on your business needs. The plan should include guidance for who should access data and should ensure you have the right employee, vendor, and contractor policies in place. Your data policies can include guidance around encryption, cleaning and purging data sets, backing data up and protecting sensitive data, and ensuring data aren’t stored unless they are absolutely needed.
Identify and Fix Issues.
It’s essential to respect data privacy and understand how your business manages data. You need to understand the types of data your business interacts with and the location of that data; plus, implement and manage policies around those learnings. Remember to continue to check for and understand vulnerabilities in your systems. When you identify issues, you need to fix them immediately.
Data privacy and your network security services don’t stop there, and to continue to learn more about security plans or speak with an expert, you can consult with our team at StrataDefense to help you implement an appropriate security plan for your business.