Gavel to Gavel: Establishing a Data Security Program

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/gavel-to-gavel-establishing-a-data-secu-38723/

The ever-increasing expense of corrective actions taken by companies after
data breaches occur is often publicized. What is not as apparent, or as
publicized, are steps companies can take that may reduce the costs and the
likelihood of such breaches.



Step 1: Know what you have and where. At the outset, identify the data that
your company holds and any particular legal protections that are afforded
that data. Besides proprietary company data and employee data,, the company
may possess “personal information” of its individual customers as defined
by state statutes and/or “protected health information” as defined by HIPAA
that are subject to additional requirements. You should also inventory the
places where that data lives, including any devices on which it may be
transported such as servers, mobile devices, laptops, flash drives, and/or
the cloud.


Step 2: Develop a plan to appropriately protect your data. Assess the risks
involved in your current data practices and identify and prioritize any
changes needed. Because certain statutes or regulations may mandate
stronger protections, including limitations on accessibility for particular
data, some changes may be necessary regarding where data is stored or
transported and who has access to it.



Step 3: Know what to do, and who will do it, before a breach occurs. State
statutes often require specific steps to be taken should a breach occur so
correctly identifying a breach is critical. An established plan and point
person can ensure consistent and timely action which may mitigate the
impact of a breach. A recent study by the Ponemon Institute indicated that
the costs resulting from data breaches may be reduced with appropriate
process management, including having a plan in place to address such
breaches. More importantly, your customers will receive timely and correct
information from you, rather than from someone else, about any breach
involving their information and the steps that are being taken to reduce
any harm to them.



While a data breach is not 100% preventable, taking a few proactive steps
can reduce the risk of a breach occurring, reduce your company’s response
time should a breach occur and, ultimately, reduce the damage realized by
your company and its customers.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!