We know we have data that needs protection – employee and customer personal information, and also confidential business information and trade secrets. Our IT group says that they have things under control, but that’s just for our network systems. What about all the ways that data can be compromised without our network controls noticing – a mistaken publication, an insider threat, a lost or stolen device? And what about our sensitive data in the custody of our service providers? Our regulators are cracking down on data security, and I’m not confident that we truly understand our risks or have adequate security policies and controls in place.
An information security program is more than simply a compliance requirement. Assessing risk and establishing effective, measurable security controls are essential elements for protecting your information assets. Important steps include:
- Identifying applicable data security requirements (HIPAA, Gramm-Leach-Bliley, FERPA, state data security and breach notification laws, PCI-DSS, and contractual requirements, among others);
- Conducting a data security risk assessment to help identify gaps and confirm needed controls;
- Establishing compliant data security and incident response plans, policies, and procedures;
- Coordinating data security and data management to allow content to be classified for security controls;
- Ensuring that service provider agreements adequately address data security;
- Instituting a data security awareness program to educate employees on current threats and how they are the first line of defense;
- Reviewing data security risk allocation and cyber-liability insurance coverage; and
- Defensibly disposing of unnecessary information, to mitigate risk.