Information Security and Data Privacy
I recently participated in a webinar entitled “The Dos and Don’ts of Information Security and Data Privacy”. The webinar itself was aimed more towards individuals who work in the IT field, however it got me thinking; how can something such as data and information security be recognized and protected by every aspect of a company, not just the IT department? Keeping your information secure is not just the responsibility of the IT department, but of every employee.
As the presenter of the webinar, Mark Perl had stated; assume that a breach will happen, and prepare for it so that the damage can be minimized as much as possible.
So what can an organization do to protect themselves against—and inevitably minimize the damage of—an information/data breach?
- Have a current network diagram and identify your information assets
- Determine what the cost would be, should there be a breach
- Enhance policies that lower risk of compromise and increase protection of information
- Look into any third party vulnerabilities and take steps to reduce exposure
- Conduct a privacy impact assessment (PIA) when dealing with a new project, program or process. You can find a resource for PIAs here.
Making sure all of your staff are properly authenticated is extremely important:
- Have authorized access to systems and networks; only those with an ID and password may have access
- Define access needs for all employees; does an admin assistant need access to all your financials and personnel files? Probably not
- Make sure all staff have their own ID and passwords, and that they are not sharing these with other staff or outside individuals
Monitor Security Controls and Company Resources
Make sure your organization has the proper physical safeguards:
- Code or key entry to the building
- Physically secure sensitive media behind locked doors, cabinets, etc.
- Store backups in a safe, off site location
- Have locked “shred” bins
Some other ways to safeguard important information is to track all access, implement audit trails, have all networks on a time-out system that logs a user off within a certain amount of time, etc.
Keep Your Software Updated
Having virus protection is great—just make sure it is up to date, otherwise you could be opening up your systems to viruses that have evolved past the reach of your old software.
Learn from Your Mistakes
So a breach does happen; it’s going to. Learn from your mistakes. As soon as you learn of a breach—whether it be from an internal or external source—identify it, determine what information has been compromised, and contain the breach.
From there, you recover. Improve your organization’s incident response plan, update security awareness training, etc.
The office of the Saskatchewan Information and Privacy Commissioner has various resources for those with questions related to privacy and steps they can take to reduce the possibility of a breach. These resources can be found here.
The Privacy Commissioner of Canada has a wealth of information aimed at giving guidance to individuals and companies in regards to protecting personal and sensitive information. One such document is Ten Tips for Reducing the Likelihood of a Privacy Breach, aimed at companies.