4 key elements of a successful data privacy policy

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.bizjournals.com/denver/how-to/technology/2015/11/4-key-elements-of-a-successful-data-privacy-policy.html

The news these days is all but overrun with stories of hackers,
cyberattacks, cyberterrorism and the importance of cybersecurity.

While concerns about external threats to network security are completely
valid (I think Target and its former CEO would vouch for us here), this
only makes up one side of the coin.

To be truly secure, you have to look at not only how easily outside forces
can make their way into your network, but also how easily your sensitive
data can make its way from the inside of your network out.

This is especially critical if your organization handles sensitive data in
any capacity. How can you be sure that you have a firm grasp on where your
data is going? By creating and enforcing a thorough data privacy policy.

Putting this policy together, of course, can be easier said than done.
That’s why we at Optimal hear a lot of questions about what elements a
successful data privacy policy needs to address (and if we aren’t hearing
these questions, you can bet that we’re asking them).

There are many factors to consider when creating a data privacy policy, but
we’ll break down the key elements you absolutely must address with your
policy below.
1. Your data

Before you can make any progress with a data privacy policy, you must first
understand what kind of data your organization handles on a day-to-day
basis. This is fundamental to determining how strict your data privacy
policy needs to be, and how much effort you need to dedicate to enforcing
it. Ask yourself:

   - Do you handle data that is subject to compliance regulations?
   - Do you have data that only certain people in your organization should
   be able to access?
   - What are the consequences of the wrong person accessing that data?

2. Remote access

Remote access is a beautiful thing — it lets us stay connected from home or
on the road, and work until we just can’t work no more. But there’s also
real risk involved any time you allow access to your internal network from
external locations. Here’s what you need to look at:

   - Does your organization have remote access capabilities? What kind?
   - What devices are people connecting from? Company-owned equipment?
   Personal devices?
   - Do they have access to network drives from these devices?
   - Are they able to copy files from these network drives to their own
   machine?

The fact of the matter is that if your people are using a VPN connection to
access your network data from their personal computer, you have no control
over where your data ends up. Would you want everyone in your organization
to be able to copy your clients’ financial information onto their desktop
at home?
3. File sharing

Like remote access, the ability to collaborate on projects can do
incredible things for efficiency and workflow. And, like remote access,
solutions that allow you to share files also open the door to dangerous
data sprawl. Take a look at your applications and determine:

   - Does your staff share and sync their files across devices?
   - What solutions are they using? A consumer-grade solution like Dropbox?
   Business-grade software?
   - Are you able to wipe files from these applications should the person
   leave your company?
   - Is the application synced to personal devices that you cannot access?

We’ve heard from folks who have been separated from organizations for years
and still have sensitive company data in their Dropbox account. That
organization probably doesn’t have a clue.
4. Mobile devices

You can probably see where this is going by now. When you’re trying to keep
internal information from getting out, it’s especially important to look at
the devices that are literally walking out of your office doors. You need
to have a handle on:

   - What devices have access to your network?
   - Are they managed? Subject to any security scans?
   - What happens if the device is lost? Can you wipe the data?
   - Is the data on that device encrypted? To what extent?
   - To what lengths do you restrict access to these devices? Simple key
   codes? Bios passwords?

As you move through all of these questions, understand that the more
restrictive you get with your policies, the more your team’s ability to
work efficiently may be impacted.

Take away mobile device access and your staff won’t be able to stay
connected while they’re away from the office. Encrypt all of your files and
you’ll have to take the time to decrypt (not to mention the fact that your
storage amounts will go through the roof). Ban file sharing solutions and
your team will have to spend time emailing documents back and forth and
back and forth.

As you can see, there’s a fair amount of give and take where data privacy
policies are concerned.

In order to make sure you have proper control of your data, however, you
have to make a decision about what’s more important to you and the future
of your organization, and what might happen if you give a little too much.

> From there, it becomes a matter of taking your policies and making them a
part of your everyday operations. Remember that “policy” in the theoretical
sense won’t hold very much water when it comes time for a compliance audit.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!