This article was written by James Normand, Security Analyst.
As organizations operate and grow, so too does the amount of data that they’re responsible for. Properly managing and safeguarding organizational and customer data can help ensure compliance with GDPR, CCPA, GLBA, and regional laws. Failure to implement and maintain secure data practices can lead to significant fines, legal action, loss of customer trust, and loss of contracts. Here are some tips for protecting your customers’ data as well as your own.
Create and Maintain a Clear Data Classification/Retention Policy
Before you can begin to assess whether or not your organization is properly safeguarding data, you have to understand all the different types of data that exist on your network. Common types of data include Personally Identifiable Information (PII), Personally Identifiable Financial Information, Payment Card Information (PCI), Protected Health Information (PHI), and Sensitive Information. Sensitive information is a broader category that is made up of a combination of publicly available PII, a customer’s name, address, telephone number, etc., and non-publicly available PII, such as SSN, driver’s license number, PCI, etc.
Once you’ve determined the types of data that your organization processes, you can begin to classify them into categories based on how the data will be handled, transferred, retained, accessed, and backed up. Common classifications include Restricted, Confidential, Internal, and Public.
Know Your Network
Now that you understand the types of data your organization utilizes, it’s time to update, or create, detailed network diagrams to ensure that data is appropriately protected. When creating network diagrams, it is essential that all pieces of the network are detailed with clear data transmission lines. It may be useful to include server OS versions to ensure that systems approaching their end-of-life are tracked. If doing so would clutter the diagram, that information can be left to the asset inventory.
Know Your Access Points
A common issue facing organizations and individuals alike is understanding the risks that publicly available access points pose to their data privacy.
For organizations, we can think of access points as any avenue that customers, or bad actors, can use to interact with your data systems. Things like private and public access routers, ATMs, websites, phone applications, and desktop applications, among others, are common access points.
For individuals, one of the common threats to your data privacy is trusting public access Wi-Fi. At your local coffee shop, at the airport, or at a fast-food restaurant, bad actors may be lurking, waiting to intercept your data. Common methods of data interception include, among others, man-in-the-middle attacks, malware distribution, and session hijacking. Despite what VPN providers may tell you, a VPN alone is not enough to protect you. Best practice is to not use public access points for any sensitive operations. If you can, use cellular networks or a trusted hotspot.
Ultimately, for an organization, the best way to ensure that you’re abiding by data privacy regulations is to conduct regular risk assessments and IT audits across your infrastructure. In the absence of an internal IT audit team, third parties can be used. If your organization is looking for an IT audit, risk assessment, SOC audit, vCISO, PCI audit, HIPAA audit, or any other regulatory audit or assessment, don’t hesitate to reach out to me or any other members of the FoxPointe team.