Data Security Compliance: A Cheatsheet for IT

Keep reading for a single set of guidelines to follow that can be applied to all industry regulations at once.

From HIPPA to SOX, whether you work for an organisation controlled by compliance standards or you are an independent IT firm looking to build your enterprise business, industry regulations regarding data security can sometimes cause a real headache.  Keep reading for a single set of guidelines to follow that can be applied to all industry regulations at once.

  Why Data Security Regulations Exist

Industry mandated data security requirements are there for a good reason. Where there is personal data, there are hackers trying to get at it. After all, social security numbers, credit card numbers, birthdates and more are all extremely valuable on the black market.   

According to the Identity Theft Resource Center (ITRC), there were 780 electronic data breaches in 2015. These breaches affected over 175 million records in a variety of industries including healthcare, banking, education and government agencies. Broken down by industry, the numbers look like this:

Healthcare
Breaches: 276
Records lost: 121,629,812
Banking/credit/financial
Breaches: 71
Records lost: 5,063,044
Education
Breaches: 58
Records lost: 759,600
U.S. Government/Military
Breaches: 63
Records lost: 34,222,763
Business
Breaches: 312
Records lost: 16,191,017    

Five Steps to Compliance

Despite different industries being required to follow differently named guidelines, there’s a pretty good overlap for those items that IT really needs to worry about.    

Although some personal information that may not fall under any compliance standards, from an IT perspective, it’s safe to assume that any and all customer, employee or other personal information needs to be protected from breach or accidental exposure.    

In order to obtain and maintain compliance to any industry or government mandated protocol, you must have documented and validated policies and procedures that are in use by your company.    

The steps you need to follow as IT regarding security policies and procedures are fairly standard, regardless of the industry you serve:  

1. Risk Analysis 

Risk analysis, sometimes also called gap analysis or security risk assessment, is the first step toward developing a data security policy. Security risk assessments should be conducted annually, biannually or any time something changes, such as the purchase of new equipment or expansion of company services.    

The purpose of risk analysis is to understand the existing system and identify gaps in policy and potential security risks. As explained by the SANS Institute, the process should work to answer the following questions: 

What needs to be protected?
Who/What are the threats and vulnerabilities?
What are the implications if they were damaged or lost?
What is the value to the organisation?
What can be done to minimise exposure to the loss or damage?

Areas to review for proper security:

Workstation and server configurations
Physical security
Network infrastructure administration
System access controls
Data classification and management
Application development and maintenance
Existing and potential threats

Methods of security to review:

Access and authentication: access should be physically unavailable to anyone who is not authorised
User account management
Network security
Monitoring
Segregation of duties
Physical security
Employee background checks
Confidentiality agreements
Security training

Resources from the SANS Institute also give excellent instruction for conducting a thorough risk analysis for your company.

2. Development of Policies and Procedures   

Based on the outcome of the risk analysis conducted, security policies and procedures for safeguarding data must be updated or, if none currently exist, written from scratch.    

Identify, develop and document:

A comprehensive plan outlining data security policies  
Individual staff responsibilities for maintaining data security
Tools to be used to minimise risks, such as security cameras, firewalls or security software
Guidelines concerning use of internet, intranet and extranet systems

3. Implementation   

Once your company policies and procedures have been identified, planned out and documented, they need to be implemented and followed.

Purchase security software and other tools that have been identified as necessary
Update existing software and operating systems that are out-of-date
Conduct mandatory security training and awareness programs for all employees, and require signatures on mandatory reading materials
Conduct background checks of all employees
Vet third-party providers to be sure that they maintain and document compliant security protocols identical to or more robust than those in place within your company

4. Validation   

In order to prove that your company is compliant with industry regulations, you must have a third-party data security company validate your company’s security protocols, procedures and the implementation of those policies and procedures. This should be done annually or biannually.    

This process can be pricey, time-consuming and intrusive; however, this type of verification will both help your business to maintain data security, and add value to your services for use by your customers.   

A SSAE16 SOC 2 Type II security protocol can cover a large spectrum of industry regulated data security requirements, including all of those discussed in this article:   

HIPAA
GLBA
SOX
FERPA
FISMA
NIST

5. Enforcement   

Security policies and procedures can be enforced through education and penalties.    You may have noticed that education falls under both implementation and enforcement. This is absolutely the most important part of your company security and must be offered continuously. 

Mandatory training and awareness programs must be scheduled for employees to ensure sensitive and confidential data is protected. Be sure that anybody who might touch protected data is trained on current policies and risks, and kept current as policies are updated or new risks identified.   

For example, be sure that all relevant employees are aware of email phishing scams, how to identify them, what to do if somebody thinks they may be targeted and what to do if they have become a victim, possibly exposing protected data. As new types of scams come into being, send company-wide emails detailing methods of identification and protection.   

The second part of enforcement is eliminating the temptation to ignore protocols and encouraging compliance. This can be done by issuing penalties, financial or otherwise, for those who do not follow important procedures. 

  There You Go—Simple!

Okay, maybe it’s not exactly simple. But, if you want to avoid adding your business or your clients to the data breach stats, data security measures must be thorough. Industry compliance and overall data security will help maintain the safety of your organisation’s data, and add a great selling point when pursuing clients.

Michael Hall, CISO, DriveSavers

ABOUT THE AUTHOR

As Chief Information Security Officer (CISO) and Director of eDiscovery and Digital Forensics, Michael Hall directs and implements policies and procedures concerning the privacy and security of all data received at DriveSavers.