Get Data Protection Right: Four Things You Need to Do to Create Strong Data Protection Policies
We’ve begun to see news headlines where organisations receive fines for lack of adequate data protection. Regulators will never be able to police every non-compliant company, so what’s the data protection regulation for in most cases?
While the GDPR is an enforcement framework, it is also a set of guiding principles that you can use to build a data protection framework. This is why we think the GDPR is really about “Getting Data Protection Right”.
We’ve studied the regulation and used it to create a framework consisting of nine pillars of data protection. If you travel naturally down the path of GDPR compliance and implementa these nine pillars, you’ll improve your businesses data handling as well as reduce the possibility of being sanctioned.. In this article, we look at the fifth pillar: Data Security Policies. We’ll review the different types of data security policies and offer a solution for generating them.
Document Your Security and Operating System Configurations
Documenting security configurations, OS configurations, and other IT configurations is the work of security managers or security engineers. These tasks sound unproductive, but they’re vital. Why?
In our world, where even the smallest companies use technology to do their day-to-day work, it’s better to record and track the configuration of that technology to ensure the smooth running of the business. The practice of documenting has several benefits:
- Reducing the risk of outages and data breaches and the harm they cause.
- Helping quickly identify configuration errors made by administration staff.
- IT staff can restore service faster if they have base configuration and change records.
- Helps IT staff to design safe, non-disruptive future changes to configurations.
- Reducing costs by identifying or avoiding overlapping functionality.
Password and Account Management Policies
Computer hacking via weak or stolen passwords tops many lists for cybercrime It’s a common data breach cause. Hence, it’s always advisable to create robust policies for password use.
A useful password policy should consider:
- Limiting the number of times a password can be reused or how long it is usable.
- Setting minimum limits for length and complexity. This makes passwords harder to crack.
- Requiring passphrases are harder to crack than passwords yet easier to remember.
- Auditing passwords and password changes to help track security threats.
- Blocking account for wrongly entered passwords.
Account management policies are broader in scope than password policies. They cover topics such as account-user access and levels of access, the principle of least privilege for new account creation (only giving access to minimum and required resources), and multi-factor authentication. Password policies often feature as a subset of account management policies.
Antivirus, Firewall and Database Policies
As part of an efficient data-protection framework, companies need policies in place which govern the use and configuration of antivirus software, firewalls, and databases. Let’s take a quick look at each of these.
Antivirus policies for workstations and servers control the software in various ways:
- Timing: when to scan for viruses and download new definitions.
- Functionality: how the software handles unwanted programmes and spyware.
- Emails: method of email scanning and how harmful messages and attachments are reported.
- Identity theft measures: configuration that protects user identities and web-browsing.
The role of antivirus software is to disable the tools hackers use to infiltrate your computer or network. For more direct attacks such as SQL injections, businesses put firewalls in place.
Firewalls come in two main forms; network-based and host-based. The latter is installed directly on individual PCs as software, while the former resides in the cloud or on a dedicated server and filters traffic between the Internet and a LAN. A firewall policy defines how a firewall should handle various types of traffic and which firewall features are enabled or disabled.
Best practice for creating a firewall ruleset is to block traffic by default and be as precise as possible about who can access what using available parameters (e.g. source and destination IP addresses, destination port). The same “principle of least privilege” applies here as elsewhere.
The security policies for a database may encompass many areas, including these:
- Acceptable usage policies restrict the ways employees or others can use the internet or network.
- Authentication controls ensure people accessing the database are who they say they are.
- Backup policies stipulating what data must be backed up when and by which means.
Encryption policies to ensure data is encrypted.
- Physical security policies defining physical access to buildings, data centres and servers.
- System maintenance policies defining time scales and methods for patching, purging and updating.
Templates to Get You Started
For many businesses, designing good security policies is a challenge. And yet they’re crucial for companies of all sizes. You need them to make sure they are appropriate to your risks, define them, implement them and communicate the procedures and best practices to staff so they are aware of their responsibilities.
While it’s not possible to create high-quality security policies automatically using our templates can be your point of departure. They will make Generating data-protection and acceptable-use policies easier by making sure you’ve at least considered standard practices. get started today by booking a demo!