A sound data security plan is built on 5 key principles: 1. TAKE STOCK. Know what personal information you have in your files and on your computers.
35 KB – 36 Pages
PAGE – 2 ============
Most companies keep sensitive personal information in their ˜lesŠnames, Social Security numbers, credit card, or other account dataŠthat identi˜es customers or employees.This information often is necessary to ˜ll orders, meet payroll, or perform other necessary business functions. However, if sensitive data falls into the wrong hands, it can lead to fraud, identity theft, or similar harms. Given the cost of a security breachŠlosing your customers™ trust and perhaps even defending yourself against a lawsuitŠsafeguarding personal information is just plain good business.Some businesses may have the expertise in-house to implement an appropriate plan. Others may ˜nd it helpful to hire a contractor. Regardless of the sizeŠor natureŠof your business, the principles in this brochure will go a long way toward helping you keep data secure.
PAGE – 3 ============
1A sound data security plan is built on 5 key principles: 1. TAKE STOCK. Know what personal information you have in your ˜les and on your computers.2. SCALE DOWN. Keep only what you need for your business. 3. LOCK IT. Protect the information that you keep. 4. PITCH IT. Properly dispose of what you no longer need.5. PLAN AHEAD. Create a plan to respond to security incidents.Use the checklists on the following pages to see how your company™s practices measure upŠand where changes are necessary.
PAGE – 4 ============
21. TAKE STOCK. Know what personal information you have in your ˜les and on your computers. E˚ective data security starts with assessing what information you have and identifying who has access to it. Understanding how personal information moves into, through, and out of your business and who hasŠor could haveŠaccess to it is essential to assessing security vulnerabilities. You can determine the best ways to secure the information only after you™ve traced how it ˛ows. ˝Inventory all computers, laptops, mobile devices, ˛ash drives, disks, home computers, digital copiers, and other equipment to ˜nd out where your company stores sensitive data. Also, inventory the information you have by type and location. Your ˜le cabinets and computer systems are a start, but remember: your business receives personal information in a number of waysŠthrough websites, from contractors, from call centers, and the like. What about information saved on laptops, employees™ home computers, ˛ash drives, digital copiers, and mobile devices? No inventory is complete until you check everywhere sensitive data might be stored.
PAGE – 5 ============
3 ˝Track personal information through your business by talking with your sales department, information technology sta˚, human resources o˙ce, accounting personnel, and outside service providers. Get a complete picture of: Who sends sensitive personal information to your business. Do you get it from customers? Credit card companies? Banks or other ˜nancial institutions? Credit bureaus? Job applicants? Other businesses? How your business receives personal information. Does it come to your business through a website? By email? Through the mail? Is it transmitted through cash registers in stores? What kind of information you collect at each entry point. Do you get credit card information online? Does your accounting department keep information about customers™ checking accounts?
PAGE – 6 ============
4SECURITY CHECKQuestion:Are there laws that require my company to keep sensitive data secure? Answer:Yes. While you™re taking stock of the data in your ˜les, take stock of the law, too. Statutes like the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act may require you to provide reasonable security for sensitive information.To ˜nd out more, visit business.ftc.gov/privacy-and-security Where you keep the information you collect at each entry point. Is it in a central computer database? On individual laptops? On a cloud computing service? On employees™ smartphones, tablets, or other mobile devices? On disks or tapes? In ˜le cabinets? In branch o˙ces? Do employees have ˜les at home?
PAGE – 8 ============
6SECURITY CHECKQuestion:We like to have accurate information about our customers, so we usually create a permanent ˜le about all aspects of their transactions, including the information we collect from the magnetic stripe on their credit cards. Could this put their information at risk?Answer:Yes. Keep sensitive data in your system only as long as you have a business reason to have it. Once that business need is over, properly dispose of it. If it™s not in your system, it can™t be stolen by hackers. 2. SCALE DOWN. Keep only what you need for your business.If you don™t have a legitimate business need for sensitive personally identifying information, don™t keep it. In fact, don™t even collect it. If you have a legitimate business need for the information, keep it only as long as it™s necessary. ˝Use Social Security numbers only for required and lawful purposesŠlike reporting employee taxes. Don™t use Social Security numbers unnecessarilyŠ for example, as an employee or customer identi˜cation number, or because you™ve always done it.
PAGE – 9 ============
7 ˝If your company develops a mobile app, make sure the app accesses only the data and functionality that it needs. And don™t collect and retain personal information unless it™s integral to your product or service. Remember, if you collect and retain data, you must protect it. ˝Don™t keep customer credit card information unless you have a business need for it. For example, don™t retain the account number and expiration date unless you have an essential business need to do so. Keeping this informationŠor keeping it longer than necessaryŠraises the risk that the information could be used to commit fraud or identity theft. ˝Scale down access to data. Follow the ﬁprinciple of least privilege.ﬂ That means each employee should have access only to those resources needed to do their particular job. If you must keep information for business reasons, or to comply with the law, develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely when you no longer need it.
PAGE – 10 ============
83. LOCK IT. Protect the information that you keep. What™s the best way to protect the sensitive personally identifying information you need to keep? It depends on the kind of information and how it™s stored. The most e˚ective data security plans deal with four key elements: physical security, electronic security, employee training, and the security practices of contractors and service providers.Physical SecurityMany data compromises happen the old-fashioned wayŠthrough lost or stolen paper documents. Often, the best defense is a locked door or an alert employee. ˝Store paper documents or ˜les, as well as thumb drives and backups containing personally identi˜able information, in a locked room or in a locked ˜le cabinet. Limit access to employees with a legitimate business need. Control who has a key, and the number of keys. ˝Require that ˜les containing personally identi˜able information be kept in locked ˜le cabinets except when an employee is working on the ˜le. Remind employees not to leave sensitive papers out on their desks when they are away from their workstations. ˝Require employees to put ˜les away, log o˚ their computers, and lock their ˜le cabinets and o˙ce doors at the end of the day.
PAGE – 11 ============
9 ˝Implement appropriate access controls for your building. Tell employees what to do and whom to call if they see an unfamiliar person on the premises. ˝If you maintain o˚site storage facilities, limit employee access to those with a legitimate business need. Know if and when someone accesses the storage site. ˝If you ship sensitive information using outside carriers or contractors, encrypt the information and keep an inventory of the information being shipped. Also use an overnight shipping service that will allow you to track the delivery of your information. ˝If you have devices that collect sensitive information, like PIN pads, secure them so that identity thieves can™t tamper with them. Also, inventory those items to ensure that they have not been switched.Electronic SecurityComputer security isn™t just the realm of your IT sta˚. Make it your business to understand the vulnerabilities of your computer system, and follow the advice of experts in the ˜eld.General Network Security ˝Identify the computers or servers where sensitive personal information is stored. ˝Identify all connections to the computers where you store sensitive information. These may include the internet, electronic cash registers, computers at your branch o˙ces, computers used by service providers to support your network, digital copiers, and wireless devices like smartphones, tablets, or inventory scanners.
35 KB – 36 Pages