10 data compliance best practices you need to establish today
Poor data security compliance policies can make it easier for ransomware attackers to succeed in their efforts to lock down your data. As Sophos recently reported, some attackers turn to extortion-type attacks. Instead of just encrypting files, they threaten to release data unless a ransom is paid, putting the victim organization in a position where it will be fined by regulations, not to mention damage to its brand. .
For this and many other reasons, compliance and information security are closely linked, placing even greater emphasis on data privacy compliance as a central pillar of any security strategy.
Here is a short list of some best practices to help your business get into compliance and stay away from ransomware thugs.
- Create a compliance framework. A security or incident response framework explains how to detect, respond to, and recover from incidents. Likewise, a compliance framework provides a structure for dealing with all compliance regulations that pertain to an organization, such as how to assess internal compliance and privacy controls. A framework also helps identify data, such as personal or sensitive data, that requires more stringent security protocols.
- Define policies regarding what data is collected and why. This step is part of creating a frame. There are many reasons to document the why and why of data collection. Regulators can require that these policies be stated; if the data comes from consumers, there may be even more stringent requirements to detail collection policies (see # 4 below).
- Create privacy policies. Be very clear with your customers about what data is being collected, what you use it for, how it is stored, and for how long. Additionally, be clear with customers on how they can request access to their personal data or request to “be forgotten” and have their data deleted from your systems.
- Build commitment to disclosures. Share, publish and maintain publicly accessible privacy policies. See how we do it at Pure Storage®. We detail where we get the data and what we do with it.
- Stay on top of the latest government regulations that impact compliance. A “privacy by design” operating model can help you keep up with and adapt to changing regulations. This means you build privacy into the design and operation of IT systems, infrastructure, and business practices, instead of trying to lock it down after the fact. (This is how we to build our Pure Storage solutions.)
- Strengthen data retention and deletion policies. This step is critical. Retention schedules dictate how long data is stored on a system before it is purged, and schedules can vary by industry. The hallmark of a compliant, mature and secure business is one that develops strong data retention and deletion policies that are continually reviewed.
- Choose a data encryption protocol. Determine what type of data encryption to use and where: on-premises, in the cloud, etc. Decisions may vary depending on the location of the data. This white paper from Pure Storage and IDC can provide you with information on the specifics of GDPR data encryption.
- Talk to your RSSI about network controls. Since compliance is closely related to security, bring your RSSI into conversations about network appliance configuration, least privilege access control, event logging, and multi-factor authentication.
- Anonymize sensitive data. If necessary, the data should be anonymized to remove personally identifiable information with masking, tokenization, hashing or anonymization.
- Document how you will notify all parties involved in a violation. Under GDPR, these notifications are mandatory and you absolutely want the notification process to run smoothly. happening again.
With the exploitation of data comes immense opportunities, but also responsibilities. If your business believes in the “data is the new oil” wisdom, you must embrace compliance too, because without it, data might not belong to you any longer.
Upload 10 questions to ask your CISO or Privacy Officer to make sure your data security policies are set from all angles.