Creating a Confidentiality Plan

Introduction

In today's economy, having a security program for protecting data is critical. In fact, a recent survey of leading data security professionals indicates that the most glaring error in regards to safeguarding information is not having a proper data management process in place. IT executives, department heads, and other leaders should take steps to prepare their company against hackers, identity thieves, and malicious software that can access or steal confidential information. Data breaches are the most common form of privacy risk, and are estimated to cost the United States economy as much as $2 trillion by 2019.

In order to properly prepare against such threats, companies need to make data security a priority, not an afterthought. Developing and implementing a data management process that considers security through every phase of the data life cycle is the only way to fully equip an organization against cyber crime and data breaches.

Basics of Secure Data Management

Securing data entails inhibiting unauthorized access to confidential and private information, documents, or drives. Criminals such as identity thieves will often attempt to obtain this information by stealing passwords, spoofing login credentials, and hacking improperly destroyed drives. Basic preventative measures include developing an awareness of possible threats, designing a secure data management process, and maintaining persistent oversight over company activity.

Self-assessment

To determine if your organization needs updated procedures with data governance, executives should perform a self-assessment. This will identity how data affects your brand, public image, customer relations, partnerships, and interactions with stakeholders.

There are a few techniques for conducting a self-assessment:

  1. Evaluate the organization's current technology, as well as the personnel who have access to it and the processes and policies which regulate how they interface with it.
  2. Appraise information based not only on its type, but also on the impact it could have on the organization. This includes ensuring compliance with applicable laws and legislation.
  3. Identify key individuals who are responsible for security protocols and data management.

Self-assessments should be conducted with the input of employees at every level of the organization. This method will allow a company to compare results across the organization, and avoid biases based on position within the hierarchy.  However, for increased cross-functionality in your results, you should consider using a third-party consultant or analyst. They will be able to improve the quality of the data you generate from the assessment.

Industry Specific Legislation

There are many federal laws and industry best practices for guiding a company in the proper management of personal information. Many these laws recommend that companies institute proper safeguards for handling and disposing of information, and provide industry specific stipulations. The most prevailing laws are outlined below.

  • HIPAA - Health Insurance Portability and Accountability Act of 1996
    • Medical and Insurance Fields
    • HIPAA is a piece of legislation which regulates any institution that has access to patient information. It requires them to implement physical and technical safeguards for sensitive data.
  • HITECH - The Health Information Technology for Economic and Clinical Health Act
    • Health and Insurance Fields
    • The HITECH Act is legislation which enhances HIPAA enforcement. It institutes provisions for companies that experience security breaches or otherwise violate HIPAA. These provisions include reporting such breaches or violations to the United States Department of Health and Human Services and the Federal Trade Commission in a timely manner.
  • GLBA - Gramm-Leach-Bliley Financial Services Modernization Act of 1974
    • Financial and Lending Institutions
    • This is a federal law which governs consumer's financial information and mandates that companies provide notices to consumers which explain the business' information sharing activities.
  • FCRA - Fair Credit Reporting Act of 1999
    • Consumer and Credit Reporting Bureaus
    • The FCRA requires that consumer reporting agencies and other organizations that gather and sell credit information to notify consumers of their lawful rights and that these organizations investigate complaints and disputes from consumers in regard to their private financial information. This law discourages consumer reporting agencies from negligently or purposefully manipulating or misrepresenting consumer information in consumer credit reports.
  • FACTA - Fair and Accurate Credit Transactions Act of 2003
    • Financial Institutions
    • Another piece of federal legislation and an extension of the FCRA, FACTA regulates data destruction and disposal protocols for businesses or individuals that possess information from consumer reports. It is intended to thwart identify theft by ensuring that consumer information cannot be recovered or reconstructed after data destruction occurs.
  • SOC 1
    • Financial Reporting Agencies
    • The first of the Service Organization Controls, SOC 1 regulates controls pertaining to financial reporting. It measures a data center's reported controls as reported by the organization, and tests the veracity of these reports over a predetermined interval.
  • SOC 2
    • IT and Data Service Providers
    • This report and audit measures the security, availability, processing accuracy, confidentiality, and privacy controls of IT and data center systems. Auditors will determine the system's operating effectiveness.
  • SOC 3
    • IT and Data Service Providers
    • This is an extension of the SOC 2 audit which will also verify websites and similar documents.

Building and Implementing a Secure Data Management Process

In today’s economy, where data exchange is necessary for operational functionality, companies that do not have security protocols in position are risking damage to their public image and considerable financial and criminal litigation. Fortunately, executives can safeguard their company’s data, and the company itself, with a well-developed and properly instituted data management process.

Registering and Organizing Devices

The first step in securing confidential data involves organizing and cataloguing any and all devices and storage mediums which will store or interface with private information. This of course involves company desktops and tablets, but there are other considerations as well. For example, more and more work is being done through Internet of Things-enabled apparatuses and frameworks. Companies need to include IoT technology into their registers and indexes.

Computers and devices which interact with confidential data need to be tracked upon purchase or receipt and registered on a directory which identifies them by their serial number and their hard drive or SSD's serial number. This will allow security personnel to trace the apparatus and ensure that it is properly disposed of when necessary.

Data Management

Once new technology is properly registered, it can begin active use by incorporation into the company's security protocols. These are a set of regulations and policies which govern the use of sensitive information and employee behavior. There should be provisions for data encryption; monitoring the use of a device when it leaves company environments; erasing default login credentials; against sharing of passwords or user names; contingency plans in the event of loss or theft of a device; employee training to spot phishing or similar unauthorized access attempts; maintaining agreements with third-party vendors and suppliers about conforming to internal security measures; and complying with relevant legislation regarding the handling of private and confidential information. A security officer or officers should be appointed to enforce these protocols, and will most likely come from an IT or similar department.

Industry Standards

Of special interest to security personnel are data destruction policies. Special regulations, such as the Federal Trade Commission's Disposal Rule, apply here. Previously, the Department of Defense's Standard 5220.22-M was a benchmark for standard disposal practices, but this is outdated and has been supplanted by National Institute for Standards and Technology's Special Publication 800-88. This document was released in 2006 and updated in 2012, and provides minimum data sanitization recommendations and valuable guidelines for different types of storage media. It also has suggestions for data destruction measures beyond degaussing, such as encrypted overwriting and physical destruction.

Persuading Management and Peers to Adopt the Process

A well-designed security process is powerless without the support of key personnel. Decision makers such as executives or board members will typically have to sign-off on a new policy of this magnitude, and enlisting their endorsement can be difficult. However, there are several strategies to persuade these individuals to become advocates.

  1. Identify the Necessity for New Procedures

You must have an awareness of why your company needs to develop or upgrade its security protocols. A self-assessment or third party consultation can help determine problem areas.

  1. Choose the Appropriate Time

Knowing when to attempt to change is as important as knowing what to change. Rather than rushing to make a pitch, you should choose an opportunity where the disruption your proposal may cause will be minimized. When a new project is offered at the right time, it will acquire the requisite buy-in to build momentum and support.

  1. Cast a Compelling Vision

Nothing will help motivate stakeholders more than a persuasive vision. Simply stating the risks of current procedures and suggesting solutions is not enough. Your message should be concise and clearly communicated. Key influencers should be prioritized and sought out for support first. Also, these leaders should be included in a call to action for the organization; rather than trying to persuade them to agree with your position, you should persuade them to adopt and champion it.

  1. Showcase your Knowledge and Competence

In order for the proposal to be taken seriously, you must be able to overcome resistance by defending it and answering questions. A Clarabyte professional can help you to successfully convey your message with their expertise and technical capabilities.

Often, proposals are rejected not because they lack potential, but because they are ineffectively communicated. Proper timing, clear, concise communication, and a convincing message will all aid the program's chances for success.

Implementation and Support

Gaining approval for a secure data management process is only the first step. After it is implemented, you must take action to ensure that it is carried out properly.

At this stage, helping employees to adopt this new policy is critical. Again, a clear vision is key in helping them to understand the necessity for change, and will provide a picture of the future for them. You should eliminate impediments to change and help them overcome inertia by generating short-term goals. Recognize that change is a process, and be ready to guide the organization and support your proposal until it is adopted throughout the company.

Protect Yourself

The cost of implementing a secure data management process with the features described here is far less than the cost of a data breach. Furthermore, expenses can be mitigated through the intelligent use of security software and activities. For example, the Clarabyte suite offers complete security solutions for every stage of the data life cycle. Their software and systems provide tailored approaches that protect corporations and their sensitive information from the moment it enters the company’s systems. Take a Clarabyte Security Audit today to verify how well prepared your company is.

FACTA FCRA GLBA HIPAA HITECH Protect Yourself Secure Data Management Self-Assessment SOC 1 SOC 2 SOC 3

← Older Post Newer Post →