What You Need To Know About Data Protection
Your organization maintains a database containing a lot of information about your sales, clients, your suppliers and your employees. What if, as part of an internal control check, your auditor asked to see some of the information, but the disk disappears on the way to the accountant's office.
You may not be a government department with millions of names on your files, but you still have a lot of important information within your control that needs to be protected. Here's why:
Data protection isn't just about legal compliance; it also has important practical considerations. For example, could your business still function if it were suddenly unable to access the data on its systems? If this information is essential to the organization's continued survival, treat it with an appropriate level of care.
Maintaining good data security standards, taking and testing backups regularly, and patching and updating application software keeps your business running smoothly and ensure it is better able to prevent disruptions or intrusions. Security standards need to be applied to all information, including:
- Your business card collection or contacts in a personal organizer
- HR records on existing, potential, and ex-employees
- Outside supplier information: if you supply records to an outside supplier such as a payroll processor, recruitment agency, or mailing house, you must obtain a written undertaking from them that they, too, will protect the security and integrity of any personal data
- Customer and prospect databases
- Third-party mailing lists that you may buy or rent
Personal Security Compliance.
Employee records need to be securely stored to prevent unlawful or unauthorized processing, loss, destruction, damage or disclosure and to keep your business in legal provincial and federal compliance. This includes:
- Personal information to be fairly and lawfully collected and processed
- Employee information used only for limited and well-explained purposes
- Information that is relevant to your organization's needs, and not excessive in detail
- Accurate and up-to-date employee records
- Records be kept no longer than is necessary
- Information processed in accordance with the rights of the individual
Information Security Strategy
Don't be fooled into thinking that information security is all about firewalls and anti-virus software. Information security is more about developing a rounded view of the risks associated with your information assets, and taking appropriate measures to reduce those risks. Setting down clear policies and teaching your team good security practices is often a more effective way to reduce risk than buying IT security systems- though you will probably need to do that too.
Acceptable Use Policy.
No matter how small the organization, your information security strategy should start with an Acceptable Use Policy that sets down on paper what your employees should and shouldn't do, and what will happen to them if they do not abide by the policy. The rules should cover computer use, e-mail, and Internet access and should be applied consistently and without favour. Enforce the rules! Don't be tempted to overlook breaches, since failing to deal with employees who break the rules will encourage others to think they can get away with it too.
Information and its security need to be managed, so make someone responsible for it, and ensure appropriate systems are in place to keep it safe. This can be as simple as applying the rule of 'least privilege' and only allowing access for people who need to use the data, for example, by keeping paper records in locked filing cabinets with designated key holders who will only give the key to authorized employees. Using a computerized system, the system administrator can control file access privileges with role based security using IDs and passwords.
Safe computing starts with documenting all the information assets you hold and defining their function within the organization. Prioritize the protection of those assets according to the risks they present, either from unauthorized access, which might incur legal or regulatory action, or from accidental loss, which could have a consequent impact on your business.
So how do we go about implementing an information security strategy?
IT Security Checklist
It's surprising how few companies bother to train employees in IT security. Training reduces your exposure to many threats and may support your position, should you ever be caught up in any legal or enforcement action. Don't limit training to a long list of things not to do, but cover good practices- some of which are documented in the following sections of this white paper.
Firewalls and anti-virus software can help reduce intrusions from hackers, but they are not much use if they are installed and then neglected, or used in isolation. An Internet firewall behaves like a computerized security guard, checking to see if incoming data has a valid reason to enter the premises, and keeping an eye on what goes out. Anti-virus software is more like an X-ray scanner, checking whether electronic packages coming into the building contain any malicious or dangerous material. Even if you have these systems, they will only work if you keep them up to date by regularly downloading and applying virus signature and system updates.
Stay on top of IT security by following this checklist:
Business Continuity Planning
Besides the possibility of losing your data through misuse, virus infection, or theft, your risk assessment should identify physical and mechanical threats such as fire, flood, civil disorder, and more common occurrences, such as spontaneous system and disk crashes or power failures.
Business continuity planning is all about taking steps to ensure you can cope with any of these disruptions. It is not practical to plan for every worst-case scenario, so you should try to work out how long you could keep going without a particular system or data source, and invest a sensible amount in insurance, backup services, or facilities to bring it back into operation within that time span. Thinking through the scenarios that could affect your organization and devising suitable recovery plans could save your company from going out of business.
A good business continuity plan should cover the following:
- Circumstances in which it would be applied
- Emergency procedures- what to do when disaster strikes
- Fallback procedures: how to bring business processes back online and how long it would take
- Backup systems and premises to enable you to resume normal operations
- A schedule for testing, reviewing, and updating the plan
- Training to make staff aware of the plans and their responsibilities in the event of any disruption
Here's a business recovery checklist to help kick start your plan:
Good IT Housekeeping
Based on the principles set out so far, it should be obvious that regular housekeeping is a critical component of your security policy. This section sets out some practical things you can do to protect your data and keep your business systems running smoothly.
Patching and Updating. Because new viruses and vulnerabilities are appearing all the time, updating software is now a critical part of looking after any computer system. Make sure the person responsible for managing IT and data security has signed up with your operating system, anti-virus, and application software suppliers to receive their security alerts. And make sure all updates are installed.
Data Backups and Recovery. The basic strategy for protecting electronic data is to make backup copies on a regular basis and to store a copy off site. How often you take copies and how many you keep should be determined by your risk assessment and business continuity plans. But, unless you have very low processing volumes, consider making daily backups. If you only make weekly backups, you could lose up to a week's work. Let's review some of the common backup options available:
Here's a checklist to help guide you through IT housekeeping essentials:
back to Compliance articles