Last week Ultan O’Carroll of the Data Protection Commisioner’s office gave an excellent presentation on best practice policies for data protection.
Below is a quick snapshot of some key points.
Knowing your data – “If there is anything you need to know – know what data you have and categorise it in some way – whether it is personal, financial and so on” . He further advised delegates that apart from categorising your data, “you need to know where your data is – whether it is on tape, on disk, on your production server and so on”
“Access ontrol” data among your employees – “Not everyone needs to see all the personal data that you hold” For example, sometimes your admin staff only need to have access to the address details of your customers. If the data is not within their remit, they need not be privy to it. All of this goes back to “knowing your data”.
Use access logging – Finding out “who logged in when”, “whether it was local or remotely” and “what password they used”. “We often see things go wrong at this level” said O’Carroll.
Have a plan to deal with data breaches within your organisation – Dealing with data breaches in an ad-hoc fashion is not the best way. Data controllers must have a plan in place.
Software patching – You should have a policy in place for the patching of software and it needs to be enforced. “We often find that top-level security patches get released but they are only applied for 3 – 6 months after that. In that window, hackers will try to do some reconnaisance on your site”.
Passwords – Having a robust password policy in your business or organisation is essential. For example, users using the same passwords for their Facebook account and their company database is not secure. Moreover, passwords need to be transmitted and stored securely. For example, emailing or storing passwords in clear text is not good practice.
Use third parties to independently test your security – There are specialists who can independently test the security of your I.T. infrastrcture. These often have their own sub-specialisations. For example, one penetration tester might specialise in e-commerce payment gateways whilst another might specialise in network penetration testing.”Test it and test it again” is the advice.
Whilst the above points are just guidelines on data protection best practice – the best data protection systems are often built from the ground up. If you want to find out more information implementing better data protection, an excellent ressource is “The Privacy Engineer’s Manifesto” by Dennedy, Fox and Finneran. The authors espouse the view that “privacy will be an integral part of the next wave in the technology revolution and that innovators who are emphasizing privacy as an integral part of the product life cycle are on the right track”.
The ebook version of the book is free to download at:
http://www.apress.com/9781430263555