Getting a grip on information security may feel like trying to hold mercury. It rolls and moves and breaks apart… and just when you think you have it in the palm of your hand, you have lost it.
Information security is not a one-and-done process. It requires the continual attention of all users. We are all custodians of the information that we collect and use.
The majority of breaches happen from carelessness or willful neglect. So in the spirit of comedian Jeff Foxworthy, here is my version of “You Might Be a Data Dimwit”:
- If you think data breach has to do with delivering a baby, you might be a Data Dimwit.
- If your company’s security protocol is to “use your head,” you might be a Data Dimwit.
- If your office party is funded by the money made from recycling paper and computers, you might be a Data Dimwit.
- If your company completes security audits by checking the boxes without really auditing the processes, you might be a Data Dimwit.
Here are seven steps you can take to avoid being a Data Dimwit—and get on the road to data risk management:
- Establish responsibility. Large companies will most likely need to establish a full-time, dedicated information security officer, while smaller firms may be able to add the responsibility to a qualified individual’s job description.
- Create a well-documented policy manual with standard practices for data protection, recognizing state and federal laws that regulate your industry. This information security policy should include how personally identifiable information will be collected, stored, shared and ultimately destroyed.
- Develop a retention schedule, using the advice of legal and accounting.
- Create an incident response plan. Unfortunately, every business will have a breach or a loss. The more you have down on paper, the better you will be able to survive a calamity. Public opinion will be determined based on how well you handle these difficult situations.
- Identify third-party vendors that have access to your information, and make sure they have the proper information security policies, protocols and training in place.
- Educate your team on the company’s policy and regularly communicate updates and changes.
- Audit the process. Review the system annually and update your processes as security needs change. Have employees review the procedures each year and acknowledge their role in the company’s security protocols.
Information security is a moving target and an ever-changing challenge—but with planning, training and the right team behind you, peace of mind and the proverbial mercury ball can be held in the palm of your hand. iBi
Heather Fitzanko is a Certified Secure Destruction Specialist for AAA Certified Confidential Security Corp. in Peoria. For more information, call (309) 691-0909 or email [email protected].