Alphabet soup of IT security
By Ronny Loew, national sales director at ProCirrus Technologies, Inc.
Whether driven by client requirements or scary headlines, IT security and compliance has risen to the forefront of firm planning and concern. Complying with the alphabet soup of regulators from GLBA and GDPR to HIPAA can feel like an expensive and overwhelming hoop-jumping exercise. The reality is that becoming compliant with these types of requirements is an important step to protecting the very continuity of your business. It can even become a competitive advantage.
Regardless of the firm’s IT model (cloud, hybrid, or on premise), it is important to develop and publish a clear security policy. The goal of the security policy is to ensure that sensitive information (i.e. data) is not physically lost or accessed by unauthorized parties.
1. Define what protected data means to you and educate your users
The first step is to clearly define your protected data and to educate your users on how to protect it. This can be as simple as defining three categories.
· Public data – this is data that is publicly available like your website information
· Proprietary data- this is data that may be specific to your firm (like a client list) but not confidential in a regulatory sense
· Confidential data – This would be all client work product as well as very specific items like social security numbers, patient identifying numbers, health information, financial information etc.
2. Create policies and systems to protect your data
If you have ever seen a security questionnaire with over 300 inarticulate control points from a client, like a big bank, it is easy to become overwhelmed. However, at its heart, the goal of the security policy is simply to ensure that sensitive information (i.e. data) is not physically lost or accessed by unauthorized parties.
It helps to simplify things by thinking in terms of protecting your data in three key states: at rest, in use, and in transit.
3. Protecting data at rest
Data at rest is data when it is being stored, like on a server hard drive, a PC hard drive, laptop, a mobile device, or a thumb drive.
· Clearly define to your associates where your protected data can stored and require that all storage is encrypted and by what protocol (i.e. AES-256).
· Remember that email is protected data. So, in addition to encrypting drives, you should maintain mobile device management (MDM) to protect mobile content as well.
· Protect your data physically. If your firm maintains on premise servers, make sure they are locked from general access.
· Have a disaster recovery plan including robust off-site backups (also encrypted).
· Maintain best practice antivirus and patch updates on all hardware.
4. Protecting data in transit
Data in transit is data that is in motion, like an email. Your policy should require that protected data is transmitted securely and accessed by only authorized individuals.
· You should provide an encrypted email option and define its usage requirements.
· Deploy other services like DLP (Data Loss Prevention) to protect against user errors. Most commonly, these are services at the firewall and/or email server level that detect protected words or patterns (i.e. ###-###-####) and quarantine email before it is sent.
· Maintain current firewall security software and regularly penetration test your network.
5. Protecting data in use
Data in use is about protecting data when it is actively being accessed from an authenticated user or a system service (like a database).
· Maintain a robust password policy that includes:
· Length greater than eight digits
· Complexity that includes upper and lower case, numbers, and symbols
· Change frequency of no more than 90 days
· System lock-out after three failed login attempts
· Forbid the use of any external password for work (i.e. Facebook). Phishing schemes or insecure external sites are the most common way user credentials are exposed
· Forbid the sharing of credentials or storing passwords in unencrypted states (i.e. plain text, Post-It notes)
· Deploy Multi Factor Authentication (2FA). Multi-factor authentication requires an additional key to access system resources, like a text. It is biggest bang for your security buck!
· Deploy auditing system for file, database (i.e. SQL) and active directory changes.
6. The bottom line
Best practices in security always favor a multi-layered and redundant approach. By thinking in terms of protecting your data-wherever it is-you can create the policies and practices that will not only protect your data but also the very existence of your firm.
Although it can seem overwhelming, a competent cloud partner can certainly relieve most of your compliance burden. However, regardless of the size of your firm, it is important to remember that protecting your data is up to you. Every step you take toward that end is the right move.