What are some important elements of working with vendors as a sysadmin? (Check all that apply)
Show
Most companies keep sensitive personal information in their files—names, Social Security numbers, credit card, or other account data—that identifies customers or employees. This information often is necessary to fill orders, meet payroll, or perform other necessary business functions. However, if sensitive data falls into the wrong hands, it can lead to fraud, identity theft, or similar harms. Given the cost of a security breach—losing your customers’ trust and perhaps even defending yourself against a lawsuit—safeguarding personal information is just plain good business. Some businesses may have the expertise in-house to implement an appropriate plan. Others may find it helpful to hire a contractor. Regardless of the size—or nature—of your business, the principles in this brochure will go a long way toward helping you keep data secure. A sound data security plan is built on 5 key principles:
1. TAKE STOCK. Know what personal information you have in your files and on your computers.
Question: Are there laws that require my company to keep sensitive data secure? Answer: Yes. While you’re taking stock of the data in your files, take stock of the law, too. Statutes like the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act may require you to provide reasonable security for sensitive information. Effective data security starts with assessing what information you have and identifying who has access to it. Understanding how personal information moves into, through, and out of your business and who has—or could have—access to it is essential to assessing security vulnerabilities. You can determine the best ways to secure the information only after you’ve traced how it flows. To find out more, visit business.ftc.gov/privacy-and-security. 2. SCALE DOWN. Keep only what you need for your business.If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. In fact, don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it’s necessary.
Question: Answer: If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely when you no longer need it. 3. LOCK IT. Protect the information that you keep.What’s the best way to protect the sensitive personally identifying information you need to keep? It depends on the kind of information and how it’s stored. The most effective data security plans deal with four key elements: physical security, electronic security, employee training, and the security practices of contractors and service providers. Physical SecurityMany data compromises happen the old-fashioned way—through lost or stolen paper documents. Often, the best defense is a locked door or an alert employee.
Electronic SecurityComputer security isn’t just the realm of your IT staff. Make it your business to understand the vulnerabilities of your computer system, and follow the advice of experts in the field. General Network Security
Question: We encrypt financial data customers submit on our website. But once we receive it, we decrypt it and email it over the internet to our branch offices in regular text. Is there a safer practice? Answer: Authentication
Laptop Security
Question: Answer: Firewalls
Wireless and Remote Access
Digital CopiersYour information security plan should cover the digital copiers your company uses. The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes, or emails. If you don’t take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extraction once the drive has been removed. Here are some tips about safeguards for sensitive data stored on the hard drives of digital copiers:
To find out more, read Copier Data Security: A Guide for Businesses. Detecting Breaches
Question: I’m not really a “tech” type. Are there steps our computer people can take to protect our system from common hack attacks? Answer: Yes. There are simple fixes to protect your computers from some of the most common vulnerabilities. For example, a threat called an “SQL injection attack” can give fraudsters access to sensitive data on your system. Protect your systems by keeping software updated and conducting periodic security reviews for your network. Bookmark the websites of groups like the Open Web Application Security Project, www.owasp.org, or SANS (SysAdmin, Audit, Network, Security) Institute’s The Top Cyber Security Risks, www.sans.org/top20, for up-to-date information on the latest threats—and fixes. And check with your software vendors for patches that address new vulnerabilities. For more tips on keeping sensitive data secure, read Start with Security: A Guide for Business. Employee TrainingYour data security plan may look great on paper, but it’s only as strong as the employees who implement it. Take time to explain the rules to your staff, and train them to spot security vulnerabilities. Periodic training emphasizes the importance you place on meaningful data security practices. A well-trained workforce is the best defense against identity theft and data breaches.
Security Practices of Contractors and Service ProvidersYour company’s security practices depend on the people who implement them, including contractors and service providers.
4. PITCH IT. Properly dispose of what you no longer need.What looks like a sack of trash to you can be a gold mine for an identity thief. Leaving credit card receipts or papers or CDs with personally identifying information in a dumpster facilitates fraud and exposes consumers to the risk of identity theft. By properly disposing of sensitive information, you ensure that it cannot be read or reconstructed.
Question: My company collects credit applications from customers. The form requires them to give us lots of financial information. Once we’re finished with the applications, we’re careful to throw them away. Is that sufficient? Answer: No. Have a policy in place to ensure that sensitive paperwork is unreadable before you throw it away. Burn it, shred it, or pulverize it to make sure identity thieves can’t steal it from your trash. 5. PLAN AHEAD. Create a plan for responding to security incidents.Taking steps to protect data in your possession can go a long way toward preventing a security breach. Nevertheless, breaches can happen. Here’s how you can reduce the impact on your business, your employees, and your customers:
Question: I own a small business. Aren’t these precautions going to cost me a mint to implement? Answer: No. There’s no one-size-fits-all approach to data security, and what’s right for you depends on the nature of your business and the kind of information you collect from your customers. Some of the most effective security measures—using strong passwords, locking up sensitive paperwork, training your staff, etc.—will cost you next to nothing and you’ll find free or low-cost security tools at non-profit websites dedicated to data security. Furthermore, it’s cheaper in the long run to invest in better data security than to lose the goodwill of your customers, defend yourself in legal actions, and face other possible consequences of a data breach. Additional ResourcesThese websites and publications have more information on securing sensitive data: Start with Security National Institute of Standards and Technology (NIST) Computer Security Resource Center https://csrc.nist.gov/ SANS (SysAdmin, Audit, Network, Security) Institute Critical Security Controls www.sans.org/top20 United States Computer Emergency Readiness Team (US-CERT) OnGuard Online Small Business Administration Better Business Bureau The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. To file a complaint or get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. Watch a video, How to File a Complaint, at ftc.gov/video to learn more. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the U.S. and abroad. Opportunity to CommentThe National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the Ombudsman evaluates the conduct of these activities and rates each agency’s responsiveness to small businesses. Small businesses can comment to the Ombudsman without fear of reprisal. To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go to www.sba.gov/ombudsman. FEDERAL TRADE COMMISSION 600 Pennsylvania Avenue, NW Washington, DC 20580 1–877–FTC–HELP (1–877–382–4357) business.ftc.gov/privacy-and-security |