Digitization offers huge opportunities, but also introduces large and numerous risks. Securing company data is more important than ever to safeguard the availability, integrity, and confidentiality. Where do you start, and what considerations do you include? In this blog 7 helpful points of focus for improvement of your company data security.
1. Management commitment and data security awareness
Security starts with commitment and awareness. The implemented controls to mitigate security risks involve several layers within the organization. Security personnel are not the only ones responsible for these controls. Therefore, it is important to increase data security awareness among all employees within the organization. Several tools can be used to achieve this, for example phishing campaigns, a mystery guest or attention to data security while onboarding a new employee. The management board should ensure that resources for security controls like budget and time are available and demonstrate the importance of data security to personnel.
2. Risk analysis
Implementation of the correct controls starts with risk analysis. A risk analysis starts with registration and classification of information resources. For example, which risks are involved when using a SaaS ERP system and which impact does it have on the availability, integrity and confidentially of the data? Risk analysis allows you to select and implement appropriate controls.
3. Data classification
‘’Data that is not being used or data that is not up-to-date, should be removed.’’ or ‘’Live data should never be used in test environments.’’ It sounds like simple rules, but in practice, has turned out to be difficult. How long do you save back-up data for example? How do you ensure that the test environment is representative without live data? Data classification should be performed to determine to which extend data has to be confidential, of integrity and available. Use this as a foundation to select and implement controls. Example: Is data availability more important than data confidentiality? In that case, it makes sense to create more data back-ups and have longer retention opposed to data confidentiality being more important than availability.
4. Access control
Access control is a control that is relevant and applicable for almost all data within an organization. Access control is more than a control to ensure data confidentiality and can be applied in far more different ways. For example, think about the following controls:
- Physical access controls of data carriers (physical locks, CCTV security);
- Encryption of data at rest and in transit;
- Use of multi factor authentication (MFA);
- Authorization framework in critical systems and performing a periodic audit on the implemented authorizations;
- Controls within the process of onboarding personnel, e.g. the use of RBAC (role based access control), an authorization matrix and the approval of the data owners;
- Controls within the process of offboarding personnel, e.g. a checklist for offboarding employees and a periodic audit of users accounts in critical systems;
- Antivirus software, firewalls and IPS (intrusion prevention system).
5. Incident management
In spite of all the controls that have been implemented, data security incidents still take place in every organization. For resolving, follow-up and overview of incidents, registration of incidents is key. Because data security is applicable on every layer within the organization, data security awareness by all employees (also see point 1) is very important. Employees should know when an incident is an data security incident and when it is not. In addition, employees should know where and how to report an incident and be aware of the importance of the registration of incidents. The registration of incidents allows the organization to identify problems and implemented or modify controls to solve these problems.
6. Vendor management
As an organization you are dependent on vendors in regard of data security. When company data is stored on a vendors server and that vendor is not in control of its data security, additional security risks are introduced. Therefore, it is important that vendors agree to security standards and that this is formally documented . In addition, your vendor should agree to a right to audit or periodically present their audit reports. data security standards are usually documented in of one of the following agreements:
- General Terms;
- Data Processing Agreement (DPA).
How can be sure that the implemented controls are effective, that all personnel is following the standards, procedures and guidelines and that all risk is covered by the implemented controls? Internal audits are effective to check and review a large amount of the controls. An external IT-auditor can help the organization by looking from a different perspective, identifying additional risks and to assess the effectiveness of the controls. An assurance report can demonstrate to stakeholders that the organization is operating in a secure way . In addition, the advice of an IT-auditor provides guidance and backing for improvement of controls.