In honor of Data Privacy Day (January 28), Cintas published 10 tips for protecting confidential business data. This list is a good starting point to creating your own data security program. I will list the tips below with additional recommendations on each. Many of these tips are written with paper documents in mind, but nearly all apply to digital storage as well. To see the see the original list, see Cintas’ site.
- Implement a document management program. This falls in the category of “identify your treasures.” Make a list of the different types of documents you need to keep – invoices, receipts, contracts, etc. Next determine who needs access to these documents in order to do their job. Identify security measures needed to maintain privacy of the data. Lastly, train all employees on responsible information-handling. Many certifications like PCI and Red Flag require this secure document management training to be compliant.
- Implement a document retention schedule. Building on #1, you should identify how long each type of document should be kept. Have a procedure to remove expired documents from storage and destroy them securely. If you process a large volume of documents, consider contracting the shredding to a trusted third-party.
- Regularly shred sensitive documents. For documents that do not need to be retained, provide storage containers in convenient locations for documents that need to be shredded and have them emptied regularly. Make destruction rules simple on employees – when in doubt, shred it.
- Keep documents securely offsite. This requirement should be balanced by the document management program. For documents that must be stored but are not required for frequent business processes consider storing them offsite. If you have a small amount of documents, a safe-deposit box might suffice. For larger amounts of documents, consider off-site data storage companies like those used for tape backup and disaster recovery services.
- Limit acquisition of confidential customer data. If information is not integral to the business process, see if you can limit your exposure by not asking for the information. Once you have it, you are responsible for securing it. Follow a need-to-know policy on release of private customer data to employees.
- Use password protection. Most document formats that can be password protected can also be cracked easily. So you must consider document password protection as a simple deterrent. Instead consider disk based encryption like TrueCrypt for file storage and PGP for files that have to be emailed.
- Install and update virus protection software. They refer to this software as virus protection software, but make sure your software protects against all forms of malware and not just viruses. I personally like Microsoft Security Essentials due to its price point, its light footprint, and its effectiveness. Keeping anti-malware software up-to-date is a good first line defense, but does not replace security awareness training.
- Clear data before disposing of old computers. We consider this process to be instrumental to a good security program (surprise, surprise). Use data destruction software like Blancco, dBan, or KillDisk to ensure that no data can be recovered from your machines after you are done with them. If you contract this service out, here are 5 questions you should ask a data-destruction company. As smartphones like Blackberries and the iPhone get used by companies in larger numbers, do not forget about wiping them as well.
- Review company credit card statements. Corporate credit accounts can be compromised as easily as consumer ones. Make sure your security program includes a review of credit card billing for fraudulent charges.
- Limit use of file sharing programs. File sharing programs can be a breeding ground for malware, and if used inappropriately can be a mechanism to expose business data. Using tools like Spiceworks you can easily generate reports to see exactly where a particular program is installed.
In general, if you don’t need it, don’t store it. If you aren’t sure, don’t store it and ask the customer for it when needed.