In my last post, we established a foundation of control with the first seven steps to smarter security. This is the base on which we can build sound management practices, which is what we’ll cover in Steps 8 through 14.
8. Set up a How-to Plan for Managing an Information Breach
When a breach happens it’s imperative to:
• Identify it and escalate to the appropriate management and subject matter expert resources within the organization to initiate the launch of a deliberate breach response plan.
• Investigate it with a structured process and appropriate resources to determine its source, scope, duration and cause.
• Report and provide notification both internally and externally as company policy, your contractual commitments and the law may require.
• Remediate and recover, which simply amounts to stopping the immediate information leakage and fixing the problem.
• Assist the victims. It makes moral,business and financial sense to help the people your breach may have jeopardized. This can be through offering a victim assistance service which is appropriate to the facts, circumstances and nature of the breach and compromised information. This may include providing them with the opportunity to review their credit reports and on-going credit and public records monitoring through reputable services such as Identity Theft 911.
9. Check and Double-Check Your 3rd Party Contracts
If you hire third-party vendors or consultants, make sure their data practices are as safe as your own – especially if they handle or have access to sensitive data within your organization. All contracts with third parties that handle your data should address specific data-handling and security practices. A must-have clause: If data is lost or otherwise compromised, your company will be notified within 24 hours or less of discovery.
10. Pre-employment and Hiring—Screen, Vet and Verify
Employees play a key role in the security of our business. Good hiring practices are critical to success. This includes the proper vetting, verification, on-boarding, orientation and training of employees. It is especially important to have good security practices when an employee leaves the company, whatever the reason. This brings us to:
11. Managing Security Related to Personnel Turnover
Hiring and firing: the two critical times when you need to have a tight employee practices in place. You don’t want to let the devil in the door and if you throw him out you want to make sure he’s not taking anything with him. Make sure your company has a policy and operational execution against that policy that looks at data protection, remote access and computer account privileges during terminations that provide for securing company property, password changeovers within the company and outside vendors coupled with a good theft prevention plan.
12. Physical Security—A Safe Work Environment is an Effective Work Environment
The practice of good office security coupled with sound control practices is essential to office safety and data security. With a little practice and support, it becomes habit and doesn’t have to be a burden. Solutions are as easy as:
• Paying attention to office security before, during, and after hours;
• Keeping well-lit the opening, closing and parking areas for employees, clients and visitor security;
• Enforcing visitor security with clear check-in, check-out procedures;
• Locking file cabinets and areas where sensitive data and financial records are kept;
• Keeping servers and sensitive computer data in separate locked areas.
13. Workspace Security
This is Step 12 applied to people. Do you have a “clean desk” policy in place? Are shredders available and shredding policies on the books for documents with personal identifiers such as Social Security numbers and other sensitive information? Are secure passwords required? Are there policies and audit practices against posting passwords on notes near computers? Are the workstations set up with automatic screen time-outs requiring passwords to regain access?
14. Protecting Your Bank Accounts
Small and mid-tier businesses tend to be notoriously under-informed in banking matters. They often assume their bank will protect them in the event of a counterfeit check or unauthorized transaction being posted against their account. That’s a fatal assumption. It’s imperative to understand the minutia of your Account Holder’s Agreement, what other supportive account protective services are available and what they cost.
Now with data protection people, polices and plans in place, the next set of steps addresses ground where many other managers start: tech.
Brian McGinley, Senior Vice President of Data Risk Management,
With more than 30 years of experience in risk management, security, loss management and compliance within financial institutions, Brian has held senior positions at Wachovia Corp. and Citigroup. He served as board chairman of the Financial Services Roundtable/BITS Identity Theft Assistance Center.