Five Keys To Crafting A Cybersecurity Policy For Your Business

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.wilmingtonbiz.com/insights/kara_gansmann/five_keys_to_crafting_a_cybersecurity_policy_for_your_business/1005

The New Year – and particularly 2016 – is a perfect time to review your
company’s cybersecurity policies and make necessary changes. From
governmental entities, to nonprofits who collect donations by credit card,
to the health care industry’s collection of health data, to employers who
store employees’ social security numbers, and to hotels and resorts that
collect traveler data, nearly all businesses are susceptible to liability
resulting from a data breach.

The list below outlines the five key precepts of a cybersecurity plan, and
is a good starting point for you to use in reviewing, updating or even
drafting a cybersecurity policy for your business.

1. Know the location and kinds of data you collect and possess. Inventory
all of your company’s devices and equipment to learn where your company
stores sensitive data. Assess all of the different kinds of data in your
possession. Know the source of the data, as well as who has access to it.
It is imperative to both know and follow the laws governing receipt,
security and storage of data.

2. Collect only data that is necessary to your business needs. Maintain and
collect only the data necessary to conduct your business. Check the default
settings on your software that processes transactions because sometimes
software is preset to permanently store information. If you must keep
sensitive information for business reasons or to comply with the law,
develop a written records retention policy to identify what information to
keep, how to secure it, how long to keep it, and how to securely dispose of
it.

3. Protect the data. The kind of protection necessary for securing
sensitive data turns on the type of information it is and how it’s stored.
Physical protection ranges from locks to limiting access to data or even
securing devices like PIN pads. Electronic security includes encryption,
firewalls, monitoring the network for malware, limiting third-party
connections to the network, and changing default settings on devices.
Develop employee policies for passwords, mobile devices and digital copiers.

4. Purge unneeded data. Identify reasonable and lawful disposal methods
based on the sensitivity of the data.

5. Create a response plan for a security breach. Create a “breach response
plan,” investigating what data was compromised, ending vulnerabilities, and
notifying those affected by the breach. Recent North Carolina legislation
requires notifying consumers and the attorney general if personal
information has been compromised in a security breach.

While each industry may be subject to other specific data laws and
requirements, these five precepts apply generally to every business’s
cybersecurity policy.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!