BreachExchange mailing list archives
Gavel to Gavel: Establishing a Data Security Program
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 5 May 2015 19:14:44 -0600
http://www.jdsupra.com/legalnews/gavel-to-gavel-establishing-a-data-secu-38723/ The ever-increasing expense of corrective actions taken by companies after data breaches occur is often publicized. What is not as apparent, or as publicized, are steps companies can take that may reduce the costs and the likelihood of such breaches. Step 1: Know what you have and where. At the outset, identify the data that your company holds and any particular legal protections that are afforded that data. Besides proprietary company data and employee data,, the company may possess “personal information” of its individual customers as defined by state statutes and/or “protected health information” as defined by HIPAA that are subject to additional requirements. You should also inventory the places where that data lives, including any devices on which it may be transported such as servers, mobile devices, laptops, flash drives, and/or the cloud. Step 2: Develop a plan to appropriately protect your data. Assess the risks involved in your current data practices and identify and prioritize any changes needed. Because certain statutes or regulations may mandate stronger protections, including limitations on accessibility for particular data, some changes may be necessary regarding where data is stored or transported and who has access to it. Step 3: Know what to do, and who will do it, before a breach occurs. State statutes often require specific steps to be taken should a breach occur so correctly identifying a breach is critical. An established plan and point person can ensure consistent and timely action which may mitigate the impact of a breach. A recent study by the Ponemon Institute indicated that the costs resulting from data breaches may be reduced with appropriate process management, including having a plan in place to address such breaches. More importantly, your customers will receive timely and correct information from you, rather than from someone else, about any breach involving their information and the steps that are being taken to reduce any harm to them. While a data breach is not 100% preventable, taking a few proactive steps can reduce the risk of a breach occurring, reduce your company’s response time should a breach occur and, ultimately, reduce the damage realized by your company and its customers.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Gavel to Gavel: Establishing a Data Security Program Audrey McNeil (May 13)