Has Your Employee or Customer Data Been Stolen or Misplaced?
Has Your Employee or Customer Data Been Stolen or Misplaced?Too frequently employee or customer data has been stolen or misplaced. It is time for it to stop. Too many companies have a too cavalier or too incompetent mode of handling information that should be very secure. Even the Federal government fails to secure sensitive data. There are seveal spy trials going on right now.
Some corporations are almost draconian about physical and data security and those companies should be identified as role models for other organizations.
First, sensitive data must be secure in a secure building where only authorized individuals are allowed to enter. We all have been through some form of building security where we have to show identification to get past the guard at the door. Sometimes if we have an appointment with someone, we may have to wait at the guard post until someone comes to sign us in and then we can go upstairs. When we get past the front door guard, then we usually see most doors are locked and secure with card validation or push button coded access security. That means individuals authorized with the cards or passwords can enter the rooms. Frequently, there are security cameras where other guards can see us and sometimes the images are stored for days or longer for later review. From what I have heard, some entry may be guarded by fingerprint or eye scanners. Frequently, valuable or sensitive items may also be bolted or otherwise locked in place so that someone cannot picked up and carried it away. When leaving a secure building, the guards check to see if you are carrying anything and may stop an individual to see what it is or to examine the contents of a shopping bag, purse, or attache case. One would be surprised that basic physical security is ignored frequently.
Second, physical security often ignors laptops and removable computer media. Many organizations lose laptops due to employee or visitor theft. Employeees have company or government assets on the laptop which they may or not be authorized to have on the laptop. Some employees may leave the work premises with the laptop without authorization. Some employees leave the work premises with removable media like floppies, CDs, external drives, or DVDs that may contain secure data that they are not authorized to possess. Physical security must home in on laptop and media theft.
Third, there is the need to know. If I am a programmer, then I almost always should work with test data and not live data. Test data is made up, fictional data. If I work with supermarket warehouse and store inventory, I probably should never be able to access let alone download employee data. If I work in human resources, then I should never see customer credit card account numbers. Data security handles access to data, so that basically, need to know access is enabled and not needed to know access is disabled. Violation of the data security rules can be published and investigated.
Fourth, all organizations have thousands of copies of their critical production data and it must be managed. All organizations have primary data stores and secondary data stores. A bank may have a primary data store of all deposit accounts such as checking, CDs, and Clubs. Secondary data stores may include individual files with all checking accounts only, others might be consumer checking accounts, middle market checking accounts, and a file or database of just clubs. Clubs can be broken out by Christmas, vacation, and birthday clubs. Each may additionally be broken out by state into additional secondary files. Sometimes there can be thousands of production level secondary files spread out from mainframe, to lan servers, to individual client laptops that can be unplugged at the office and carried home. Sometimes files can be copied onto removable media such as floppies, CDs, DVDs, and external drives. Frequently this data accessibility spans not only countries, but continents. Data security must step up to guard all primary and secondary data stores of production level data. Data security management must prevent or guard additional copies of this data.
It all starts with honest people. Are your employees and contractors bonded? Do you validate employee application and resume information? Does any individual have strong ties to any nation other than America?
Do you have a vigorous physical security plan in place? Have you validated that violations occuring elsewhere could not occur at your company?
Do you have a vigorous data security plan. Do you know what production level files that you possess already? Do you know how frequently they are created and by whom? Do you know the people accessing the files? Do you know what files have been downloaded to client laptops and by whom? Do you know if all of your production data is in a secure building? Has someone recently validated why each primary or secondary data store file or database is still necessary? Do you delete access of individuals that leave the company? How do you handle access of employees transferring to other departments? Do you quickly investigate unauthorized access of production data?
The next time personal data is reported missing or stolen from a laptop, then all hell should break out. Credit card numbers, social security numbers, and a lot of other personal data should never leave secure buildings. I cannot imagine what the individual would do with thousands or millions of credit card or social security numbers anyway. The individual probably should never have had that data anyway. The company's physical security people and data security people know better. All management knows better. If corporations cannot manage the security of their employees and customers, then maybe government should enact laws with severe penalties.
posted by God Bless America - Bob @ 2:58 PM
0 comments
