Keeping your data private has always been the fundamental goal of IT security. Today, confidentiality of private data is more critical than ever due to the legal implications of unintended data disclosure. We’ve all read the horror stories about USB drives, backup tapes, or laptops being stolen and costing a company millions in reputational damage, lost revenue and fines.
Interestingly, the majority of disclosures can be prevented by following a solid security policy, and that all starts with a Confidential Data Policy. This policy works closely with the Data Classification Policy to spell out exactly how confidential data is to be handled.
The nine following questions need to be answered when evaluating security controls for confidential data:
- What is considered confidential data to your company?
- Do you store confidential data about your customers, partners, or employees?
- Where is your confidential data stored?
- How is your confidential data transmitted across and between networks?
- Is your confidential data accessed by remote users?
- Is your confidential data taken offsite?
- Is your confidential data protected by encryption or other security controls?
- How are backups or copies of confidential data handled and stored?
- How do your users interact with confidential data?
There are a lot of factors to consider when determining how to protect your company’s confidential data. A Confidential Data Policy will answer all these questions, helping shape your company’s strategy for dealing with confidential data and educating users on the secure use of that data.
But what happens if the worst occurs? What if a breach occurs? How do you determine the severity of the breach and what steps to take in response?
That is where an Incident Response Plan comes in. An Incident Response Plan specifies exactly how your organisation will handle a suspected security incident. Topics covered in this policy include:
- Classifying the incident
Was it a physical incident such as a loss or theft of a laptop, or was it an electronic incident or attack?
Incidents should stay private until they have been properly investigated and the company determines the scope of the breach and how to respond.
- Step-by-step actions to take in response to various types of incidents
This should be detailed in advance so that critical decisions aren’t being made when individuals are operating in “crisis mode.”
After the incident has been investigated, if any third-party data was involved, notification of those parties may be necessary. Mandatory notification to government agencies may also be required.
- Preparation and Risk Management
Actions taken, BEFORE an incident have a much greater impact on the severity of the incident then responses after-the-fact. There are numerous ways to mitigate risk and prepare ahead of time, should the worst occur.
When paired with other security policies, such as a Confidential Data Policy and Network Security Policy, and a solid overall security strategy, your company can significantly mitigate your risk of a security incident.