Since the EU's General Data Protection Regulation went into effect, California and New York have successfully passed the California Consumer Privacy Act (CCPA) and Stop Hacks and Improve Electronic Data Security (SHIELD) regulations, respectively. There are 12 more states getting approval on data protection legislation currently, and that number is expected to grow.
As more disparate legislation is introduced across the US, what organizations must do to avoid costly regulatory fines will only become more complicated. Answer these questions, and you'll sleep a little better at night. Those that have a plan of attack or are already executing on these guidelines should feel confident that their enterprise is keeping the customer's best interests in mind.
● Do you incorporate "privacy and security by design" in your environment?
Privacy and security by design are methodologies based on proactively incorporating privacy and data protection from the very beginning. This approach follows seven principles for implementing growing processes within your IT and business environments. Advocating privacy and security early on in your design process for specific technologies, operations, architectures, and networks will ensure you are building a mature process throughout the design life cycle.
● Is sensitive data encrypted during transit and at rest?
Encryption keys are vital to the protection of transactions and stored data. Key management should be deployed at a level commensurate with the critical function that those keys serve. I strongly recommend encryption keys be updated on a regular basis and stored separately from the data. Essentially, data is always being pushed and pulled and protecting that information as it moves across boundaries should require strong encryption at rest and while in transit.
● Is access to data on a need-to-know basis?
Data should always be classified as sensitive versus nonsensitive and should only be accessed by authorized employees who have a legitimate business reason to access it. Using role-based permissions and "need-to-know" restrictions will help protect your data. It's wise and highly recommended to always use nonshared usernames and passwords with multifactor authentication, which will verify each user. Furthermore, an access review should be conducted at least once per year; this will ensure the appropriate access is given to the correct people.
● Do you have a disaster recovery and backup location?
Having a disaster recovery (DR) and backup environment is a must in today's digital world. DR and business continuity (BC) plans must be in place, and all relevant personnel should be apprised of their roles. DR and BC plans should be tested on an annual basis, followed by lessons learned. Separating your production and backup locations by a few hundred miles will ensure greater data security in the event of a natural or man-made disaster.
● Are vulnerability, risk, penetration, and other audit assessments conducted?
Assessments should be continuously completed throughout the year. Your team should be performing assessments focused on the information system and operational areas within your environment. It's important to conduct these assessments on all assets, internally and externally. Your analysis should be completed in a five-step phase:
- Identify and prioritize assets
- Identify threats
- Identify vulnerabilities
- Analyze controls
- Understand the likelihood of an incident and know the impact that threat could have on your systems.
● Is a process in place to delete or destroy data?
Whoever is handling your data should have a data retention schedule. Building out a schedule will ensure you are deleting data within the scoped time period. After you've defined the data retention schedule and you understand what can be deleted, you should follow security best practices around properly deleting and destroying data. Following industry standards such as the National Institute of Standards and Technology (NIST) will ensure your employees know how to and when to destroy and delete data. Any method that conforms to the NIST 800-88 guidelines for data sanitization should be approved for use.
● Do you have an established incident response team and data breach plan?
Your enterprise should have a robust incident response (IR) and data breach plan in place, and they should be tested annually. It should be the IR team's responsibility to manage the IR process, defend against attacks and prevent further damage from occurring when an incident does occur, implement improvements that prevent attacks from reoccurring, and report the outcome of any security incidents.
Your internal plan should be developed based on industry leaders and cover these three phases:
- Phase I: Detection, assessment, and triage.
- Phase II: Containment, evidence collection, analysis and investigation, and mitigation.
- Phase III: Remediation, recovery, and post-mortem. Notifying customers in a timely manner of a breach is mandatory, and this should be spelled out in your agreement.
● Are you logging security events?
Logging should be enabled in order to establish a sufficient audit trail for all access to sensitive data. Logging should be performed at the application level, too. Automated audit trails should be implemented to reconstruct system events and they should be secured so they cannot be altered in any way. File integrity monitoring should be used to ensure you are maintaining confidentiality, integrity, and availability of all customer data.
● Are you keeping your privacy up to date?