9 questions to ask when handling Confidential Data

23/12/16 09:42


Keeping your data private has always been the fundamental goal of IT security. Today, confidentiality of private data is more critical than ever due to the legal implications of unintended data disclosure. We’ve all read the horror stories about USB drives, backup tapes, or laptops being stolen and costing a company millions in reputational damage, lost revenue and fines.

Interestingly, the majority of disclosures can be prevented by following a solid security policy, and that all starts with a Confidential Data Policy. This policy works closely with the Data Classification Policy to spell out exactly how confidential data is to be handled.

The nine following questions need to be answered when evaluating security controls for confidential data:

  1. What is considered confidential data to your company?
  2. Do you store confidential data about your customers, partners, or employees?
  3. Where is your confidential data stored?
  4. How is your confidential data transmitted across and between networks?
  5. Is your confidential data accessed by remote users?
  6. Is your confidential data taken offsite?
  7. Is your confidential data protected by encryption or other security controls?
  8. How are backups or copies of confidential data handled and stored?
  9. How do your users interact with confidential data?

There are a lot of factors to consider when determining how to protect your company’s confidential data. A Confidential Data Policy will answer all these questions, helping shape your company’s strategy for dealing with confidential data and educating users on the secure use of that data.

But what happens if the worst occurs? What if a breach occurs? How do you determine the severity of the breach and what steps to take in response?

That is where an Incident Response Plan comes in. An Incident Response Plan specifies exactly how your organisation will handle a suspected security incident. Topics covered in this policy include:

  1. Classifying the incident
    Was it a physical incident such as a loss or theft of a laptop, or was it an electronic incident or attack?

  2. Confidentiality
    Incidents should stay private until they have been properly investigated and the company determines the scope of the breach and how to respond.

  3. Step-by-step actions to take in response to various types of incidents
    This should be detailed in advance so that critical decisions aren’t being made when individuals are operating in “crisis mode.”

  4. Notification
    After the incident has been investigated, if any third-party data was involved, notification of those parties may be necessary. Mandatory notification to government agencies may also be required.

  5. Preparation and Risk Management
    Actions taken, BEFORE an incident have a much greater impact on the severity of the incident then responses after-the-fact. There are numerous ways to mitigate risk and prepare ahead of time, should the worst occur.

When paired with other security policies, such as a Confidential Data Policy and Network Security Policy, and a solid overall security strategy, your company can significantly mitigate your risk of a security incident.

Insider Threats Prevention Guide - The hidden risk of business collaboration



Written by Berkeley

Founded in the late 1990s, Berkeley serves clients all over the world including Australia, Asia, North America and the Middle East. Berkeley operates three core divisions: Enterprise Application Development (design, development and enhancement of our offerings), Enterprise Security and Systems Support Services (ongoing commitment to client service) and Internet and Cloud Services (making Berkeley applications available using alternative hardware solutions). Berkeley continuously strives to meet the needs of each of its valued clients. Its success has been heavily dependent on repeat/referred service based on its willingness to help information security specialists do their jobs better. Berkeley prides itself on delivering solutions on time, within budget and in accordance with specification.