Protecting the information that you keep - Physical Security and Data Security Policies

Physical Security

 Most security breaches happen the old-fashioned way, through lost or stolen paper documents.Often, the best defense is simply a locked door or an alert employee.

• Store paper documents, as well as any CDs, zip drives, old hard drives, or backups containing personally identifiable information, in a locked room or file cabinet.
• Control access by limiting who has a key to only those employees with a legitimate business need. Remind employees not to leave sensitive papers out when they are away from their desks. Require employees to put files away when not working on them, and to log off their computers, and lock their file cabinets and office doors at the end of the day.
• If the company maintains offsite storage facilities, know when someone accesses the storage site.
• If you need to ship sensitive information, encrypt the information, keep notes on what information was shipped, and use a service that will allow you to track the delivery of your information.

Digital Copiers

Your information security plan should cover the digital copiers your company uses. The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes, or emails. If you don't take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extraction once the drive has been removed.

Here are some tips about safeguarding the sensitive data stored on the hard drives of digital copiers:

• When you're thinking about getting a copier, get your IT staff involved.
  • The employees responsible for securing your computers should also be responsible for securing data on your copiers.
• When buying or leasing a copier, consider the security features offered.
  • Some data security features are offered as standard equipment or optional add-on kits. Generally, these features involve encryption and overwriting. Encryption scrambles the data on the hard drive so it can be read only by particular software. Overwriting, also known as file wiping or shredding, replaces the existing data with random characters, which makes it harder for someone to reconstruct a file.
• Once you choose a copier, take advantage of all its security features.
  • You may be able to set or adjust the number of times data is overwritten, usually the more times the data is overwritten, the safer it is from being retrieved. In addition, make it a standard office practice to securely overwrite the entire hard drive of the copier at least once a month.

When you return or dispose of a copier, find out whether you can have the hard drive removed and destroyed. Have a skilled technician remove the hard drive to avoid the risk of breaking the machine. If you are not able to remove or destroy the hard drive, be sure to completely overwrite the data before disposal.

Detecting Breaches

Consider using an intrusion detection system to detect network breaches when they occur. To be truly effective, be sure it is updated frequently to address new types of hacking.

Maintain a central log file of security-related information to monitor activity on your network so that you can spot and respond to attacks. If there is an attack on your network, the log can provide information that can identify the computers that may have been compromised.

Monitor incoming traffic for signs that someone is trying to hack in. Keep an eye out for activity from new users, multiple log-in attempts from unknown users or computers, and higher-than-average traffic at unusual times of the day.

Monitor outgoing traffic for signs of a data breach. Watch for unexpectedly large amounts of data being transmitted from your system to an unknown user. If large amounts of information are being transmitted from your network, investigate to make sure the transmission is authorized.

Employee Training

Your data security plan may look great on paper, but it's only as strong as the employees who implement it. Take time to explain the rules to your staff and implement periodic training to spot security vulnerabilities. Well-trained employees are the best defense against identity theft and data breaches.

• Check references and do background checks before hiring employees who will have access to sensitive information.
• Every new employee should sign an agreement to follow your company's confidentiality and security standards for handling sensitive data.
• Regularly remind employees of your company's policy, and any legal requirements, for keeping certain information secure and confidential.
• Know which of your employees have access to sensitive personally identifying information, especially data like Social Security and account numbers. Limit access to personal information to employees with a "need to know."
• Have a procedure in place for making sure that workers who leave your employ or transfer to another part of the company no longer have access to sensitive information. Terminate passwords, and collect keys and identification cards as part of the check-out routine.
• Implement a regular schedule of employee training. Keep employees up to date as you find out about new risks and vulnerabilities. Make sure training includes employees at branch offices, temporary help, and seasonal workers. Consider blocking access to the network for those employees who do not attend the training.
• Train your employees to recognize security threats. Tell them how to report suspicious activity and publicly reward employees who alert you to vulnerabilities.
• Make sure that your employees are aware of your company policies regarding keeping information secure and confidential. Post reminders in areas where sensitive information is used or stored. Make sure your policies cover employees who telecommute or access sensitive data from home or an offsite location.
• Teach employees about the dangers of spear phishing, fraudulent emails containing information that makes the emails look legitimate. These emails may appear to come from someone within your company, generally someone in a posi­tion of authority. Consider making it standard policy to verify all emails requesting sensitive information, and when verifying, do not reply to the email and do not use links, phone numbers, or websites contained in the email.
• Warn employees about phone phishing as well. They should be suspicious of unknown callers claiming to need sensitive information. Make it office policy to double-check by contacting the company using a phone number you know is genuine.
• Require employees to notify you immediately if there is a potential security breach, such as a lost or stolen laptop.
• Impose disciplinary measures for security policy violations.

Security practices of contractors and service providers

Your company's security practices depend on the people who imple­ment them, including the contractors and service providers you work with.

• Before you outsource any of your business functions such as payroll, web hosting, customer call center operations, or data processing, take a look at the company's data security practices and compare their standards to yours. If it is possible, try to visit their facilities.
• Make sure that security issues for the type of data your service providers handle are addressed in your contract with them.
• Insist that your service providers notify you of any security incidents they experience, even if the incidents may not have led to an actual compromise of your data.

Adapted from "Protecting Personal Information: A Guide for Business," Federal Trade Commision, 2011

For more information on this subject, to download a copy of the guide, or to find out about scheduling an internal controls audit, call 503-579-8059 or e-mail us at info@sosnw.com.