Data Safeguard Policies

Posted by Mark Greisiger

A Q&A with David Lineman, President of Information Shield
An organization’s security is only as good as its underlying policy. Besides guiding personnel on procedures, rules and protocols, policy is also a public signpost that will reassure customers, third party organizations and stakeholders that their data will be protected. To find out more about the common mistakes people make with regard to data safeguard policy, I talked to David Lineman, president of Information Shield (and eRisk Hub resource vendor).

What security/privacy provisions are most often missing from organizations’ policies, especially small to medium size organizations?
Among the security policies most often left out is “acceptable use” of internet and email, even though these are common areas for breaches. The technical vulnerabilities are always there, certainly, but many of the huge, public breaches occur when someone emails out personal data by mistake, or responds to a phishing email with data that then leads to a technical breach. So where organizations tend to be missing the boat is with the policies that relate to people and the way they behave—and making sure that people in the organization, no matter what size it is, are aware of those policies that apply to them. Really, all of the regulations in healthcare and financial services actually point to the same set of controls in security policies—passwords, for instance. You need to manage access control with passwords and that is as valid today as it was 30 years ago as a key element of personnel security. Employees need to be screened and they should be receiving security education and training. Companies are spending billions of dollars on technology and a minute amount on training for security. Another area that tends to be neglected is physical security: putting locks on doors, not leaving sensitive information out on a file cabinet or in a dumpster—but also the management of media such as phones and tablets.

Some companies will try to copy a policy (e.g. privacy policy) off of the internet as a template. What are some of the pitfalls of doing this?
Templates are fine but they all need to be customized to make them appropriate for your organization. People want to think that a template will make their job easier but there’s no way of getting around the fact that the policy needs to be adjusted based on the needs of the business. We sell templates as part of our business, but we make them customizable and we give people the tools and tips to help them. There are certainly risks to using a template. For example, many companies in financial services get audited quite often. And the worst thing you can do—almost worse than not having a policy or not following a policy—is to copy a template in a rush and leave it untouched with the wrong information. It’s a huge trend in security and compliance right now to validate third parties, and if you have a sloppy policy, you can also lose business and credibility with clients.

What are some of the most critical policies organizations need to comply with various state or federal regulations?
Well, the ones we’ve talked about already are required. Virtually every regulation specifies physical security, third party security, access control, and acceptable use of internet and email. Two areas I haven’t talked about are business continuity and breach response. Regulators spend a lot of time looking at breaches and what happened so that they can stop them from happening in the future. Breach response plans need to be written and incorporated into company policy. Disaster recovery and business continuity is a big area—we’ve seen over the past couple of years that natural disasters and it can knock out a business for weeks at a time. In general, I think people have to have an eye toward a comprehensive set of security policies and not just look at something like access control in isolation. You cannot comply with regulations by just picking one or two areas to focus on. If you have a small business you might not need the same intricate detail a big company will need, but you still need to have a comprehensive policy.

In conclusion…
As Mr. Lineman points out, good privacy and security practices start with a written policy. But that’s only the beginning. There then needs to be internal enforcement and fine-tuning of the policy to ensure adherence. We have also seen similar problems with templates. Plaintiff lawyers love to point out inaccuracies in a company’s policy, especially where it may say one thing but the company is doing another, so one may argue that using a template is a deceptive trade practice, thus increasing your negligence.