Strategy should ensure that data remains secure


POSTED: Sunday, October 04, 2009

With the rise in incidents of identity theft over the past few years, many organizations are rightfully concerned about keeping their customers' data private. While the financial service industry has been regulated since the late '90s by the federal government, other companies would be wise to follow their lead.

For some years now, financial service companies have had to comply with the provisions of the oft-maligned Gramm Leach Bliley Act. Among other things, GLBA calls for a process that begins with an assessment of an organization's information systems, development of a security strategy, implementation of the strategy and, finally, ongoing monitoring.

Sounds simple, right? Well, as the saying goes, the devil is in the details. There are a handful of sensitive areas that should be addressed in an organization's security strategy. This includes access control, which ensures that the right people can get onto the right systems.

Correspondingly, the wrong folks are kept out of systems that they have no reason to use. Access must be controlled at the network, operating system and application level, and should also take into account remote access.

Another area of concern is protection of the physical environment. This includes security of the data center and even components within the data center, such as safes used for storing media. In addition to keeping bad people out of the data center, care also should be taken to ensure that bad elements are kept out of the data center, such as fire, smoke, water and electrical interference, among others.

Of course, the human element is always a major concern. After all, staff or contractors are always capable of altering or deleting data, disrupting or destroying systems. Anyone who touches the system should be fully vetted and properly trained.

Along these lines, in addition to in-house staff, organizations often outsource some of their IT functions. Vendors should be selected carefully. Assurances should be spelled out contractually with respect to security responsibilities, controls and reporting. Nondisclosure agreements also should be executed to protect data.

In light of the recent tsunami, which easily could have affected Hawaii, organizations must be prepared for disastrous incidents and how to ensure continuation of operations under such conditions.

This is by no means a comprehensive list. Organizations that address these issues will, however, have a leg up on those that do not.