Data security is a multifaceted area of expertise requiring extensive involvement by an organization's CIO, IT department, and virtually every area of the business that touches organizational data. With cybercrime and data breaches occurring at an ever-increasing rate, keeping your customers' data secure is essential. Negligence or a misinterpretation of security regulations can compromise both your customers' sensitive information and your organization's reputation.
A key component in data security involves gaining a comprehensive understanding of what data your company is responsible for. Stakeholders should be heavily invested in processes surrounding data management, such as those provided by DAMA. DAMA is heavily involved in the publication of the DMBoK. The DMBoK defines ten knowledge areas which they consider to be the core of Information and Data Management;
- Data Governance (the central knowledge areas that connects all the others)
- Data Architecture Management
- Data Development
- Data Security Management
- Data Operations Management
- Data Warehousing and Business Intelligence
- Document and Content Management
- Reference and Master Data Management
- Data Quality Management
- Metadata Management
The DAMA-DMBoK does not purport to be a complete authority on data management, but it does attempt to provide a centralized resource for data management functions, terminology, and best practices. Key decision makers and data management experts should be well versed in at least core functional knowledge areas to provide your organization with a basis on which to build business competency in successful data management practices.
Additionally, employees should be familiar with data protection guidelines as well as relevant laws and regulations to implements into their work flow. Federal and State laws, such as SOX, HIPAA, FISMA, and GLB, may elicit specific compliance requirements from your organization with regard to data management. Ensure that your team is aware of what, how, and where specific data is stored, while being mindful of your organizations commitment to strong data management best practices and information security.
Password Security and 2FA
Password security can be among the most important yet also one of most overlooked areas of data security. Passwords are your organization's first line of defense against unauthorized access, requiring a unique sequence of characters to access a device, service, resource, or document. A password can be unique to the user, a team of users, or an organization (in the case of a Wi-Fi network). Hallmarks of secure passwords include minimum lengths, lack of dictionary based wording, and frequent forced rotation of passwords.
NIST, the National Institute of Standards and Technology, publishes a regularly updated password security and information security guideline your organization can utilize. In the past, NIST has recommended extremely complex passwords with unique characters and randomization scoring. In the most recent update, you'll find that this has changed. NIST recognizes that for the past few decades, when password complexity requirements were cumbersome, non-technical end users began to simply write their passwords down – effectively negating any security gains from enforcing strict and complex password policies.
In addition to modifying the complexity requirements, NIST has suggested for quite some time that organizations implement a form of Two-Factor Authentication.
Authentication relies on certain “Factors”;
- Something you know, such as passwords or passphrases.
- Something you possess, such as a hardware token or a phone.
- Something that is a part of you, such as your eyes, fingerprints, or any biometric identification.
Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) is a combination of two or more of the above authentication factors. In its infancy, 2FA was implemented using standard SMS, a highly insecure method of sending one time passcodes via OTA text messaging. This message was officially deprecated by NIST in Special Publication 800-63B. Companies such as Duo, OneLogin, Twilio, Google, and Microsoft provide applications and services that implement secure, NIST compliant, multi-factor authentication frameworks.
For decades, certain sectors of private business have been governed by specific US legislation
regarding data security. Businesses in the financial, healthcare, and educational sectors in
particular are in focus due to the sensitive nature of the data they handle. From
social security numbers and addresses, to account information and access to hundreds of billions
of dollars, these industries hold the keys to global financial health. As such, lawmakers
and regulators have crafted specific legislation regarding keeping this data
Specific U.S. legislation including HIPAA, Fair Credit Reporting Act (FCRA), and Electronic Communications Privacy Act (ECPA) have established such oversight and regulation by the U.S. government. In Europe, the EU General Data Protection Regulation (GDPR) applies to an even wider subsection of the economy. These specific laws and regulations are wide-ranging and govern how customer data may be acquired, retained, and used.
These days, it's simply not enough to draft a generic privacy statement for your website. Instead, organizations need to make sure their privacy statement is in-depth, logical, and easy for customers to understand. An effective privacy statement should clearly delineate the private information your business collects from customers, how it is used or shared with any third-party organizations, and the length of time that the data is stored. Be forthcoming with how long customer data is kept and how it is used. If a customer decides that they do not want their information stored on your site, you must ensure and communicate that procedures are in place that allow them to remove their data from your company's servers.
Without a strong understanding of data management best practices and a knowledge of what metrics to evaluate in your current infrastructure, organizations can fall prey to fines, legal sanctions, and worse, compromised customer data. For more information on evaluating your network's data security management, reach out today and talk to one of our trained IT security professionals.
Genesis Adaptive specializes in several data security areas;
- Encrypted Data in Transit and at Rest
- Information Security and Assurance
- Best-practice Formation
- Regulatory Compliance (SOX, HIPAA, FISMA, GLB)
- Disaster Recovery (Backups, Hot-Standby)
- Data Security Audits
- And more…