Keeping your data secure and backed-up is an important part of your IT functionality. By using the right tools you can:
- Enforce data confidentiality and security
- Comply with data retention and security regulations
- Retain tamper-proof data with efficient data storage
- Ease legal e-discovery
- Secure intellectual property and confidential information
- Track and report on Admin Remote Control sessions
There are a number of ways to look at this issue but as a managed IT service provider, we lean towards taking a holistic approach to your data privacy and security needs, taking into account any related regulatory and internal compliance requirements. This approach to planning and implementing data privacy and security may be specifically valuable to a range of groups and individuals that:
- Own business processes that generate, collect, and use data
- Have a specific business with respect to confidential data, such as the chief privacy officer, the legal department, and the IT department
The average approach focuses on mere compliance with “the letter of the law” by implementing and enforcing data privacy and security policies on generally accepted best practices. Prevailing IT privacy and security thought generally addresses threats by restricting access to data and keeping it from “escaping” well-defined boundaries.
This traditional approach can be augmented by evaluating threats to confidential data at different stages of the information lifecycle. With a more holistic plan and self-regulation measures, your security and privacy can go beyond mere compliance with regulations and standards. This approach helps organizations identify technical and nontechnical measures that can reduce security and privacy risks to acceptable levels.
Selecting technical controls and activities to effectively protect confidential data requires:
- An understanding of how information flows throughout an organization over time
- Knowledge of how information is accessed and processed at different stages, by multiple applications and people and for various purposes
The concept of the information lifecycle is helpful in understanding these requirements and in defining your path to compliance and best practices. The information lifecycle is as follows:
Collect: Most organizations collect data in multiple ways: in person, by mail, from partners, or through transactions via network and system connections. Information must be classified appropriately, and measures to address security and privacy must be taken.
Update: The organization’s data is typically updated several times during its lifecycle. Multiple challenges are associated with safeguarding the integrity of data. Repeated updates, human error, and malicious activity can all compromise the integrity and accuracy of information.
Process: As information becomes easier to share and transmit, it is more frequently subject to processing or use by multiple applications and people, including third parties. Organizations should ensure that only authorized individuals can access confidential data, and they should enforce strict conditions for taking data outside the organization (such as on a laptop).
On the privacy side, organizations should enforce user choice and consent in a manner that is consistent with organizational policy and with laws and regulations.
Delete: With data storage becoming less expensive every day, many organizations conclude that spending time deciding which records to delete is more costly than simply keeping it all. However, this practice fails to consider potential liabilities associated with retaining confidential data after it has outlived its usefulness.
Organizations can reduce their exposure to the risk of data breaches by defining a finite lifespan for confidential data and enforcing policies for its automatic deletion or secure archiving for ease of discovery in legal situations.
Storage: The task of protecting confidential data might seem relatively straightforward when that data is stored in a single database server inside the data-center. The effort is far more complex, however, when the information is moved outside the data-center—to a database on a laptop, for example—or when it is stored in unstructured form such as in an e-mail or a text document.
Transfer: As data is copied or removed from storage as part of a transfer, a new information lifecycle begins. Organizations should place as much emphasis on security and privacy for data that is being transferred as they do for the original data-set. This requires an understanding of the transfer vehicles (private network, the Internet, storage media sent by courier, and so on) as well as their inherent risks. For example, media sent by courier or postal mail can be lost or stolen, so it should be encrypted, just like data transferred over the Internet.
It also requires an understanding of how the recipient organization’s policies, systems, and practices might differ from those of the current keepers of the data. Lastly administrators should work on servers or workstations securely and discreetly, and track and report on their Remote Control sessions with a history of access for compliance purposes.
If you are not sure you have the right security and backup plan in place, it is never a bad idea to contact your managed IT service provider. They will know the right solutions for your system and be able to guide you through the process.
