Ten Ways to Boost Data Security
Britt, Phillip, Information Today
Today, most companies are focusing on data security issues and finding ways to ensure that sensitive information doesn't fall into the wrong hands. According to Paul Giardina, senior vice president for marketing at Protegrity Corp. in Stamford, Conn., there are 10 safeguards that can help companies protect themselves from falling victim to data breaches.
Giardina, who discussed security issues at the 2006 Teradata PARTNERS User Group Conference & Expo, held Sept. 17-21 in Orlando, Fla., said that companies should pursue "defense in depth" and add different layers of security as risk and value of the protected data increases.
Security threats can be addressed in specific ways to help mitigate the risks. However, the following 10 solutions are "just the start of data security processes," according to Giardina. "There is no silver bullet."
1. Comply with multiple, overlapping regulations.
In the past few years, the U.S. has introduced new regulations including the Sarbanes-Oxley Act, the Gramm-LeachBliley Act, the Health Insurance Portability and Accountability Act (HIPAA), various state breach disclosure laws, and laws in other countries governing some international firms. The Payments Card Industry rules (the newest version of which came out in September) encompass portions of all these laws, some of which overlap.
But rules don't overlap in many areas. So, Giardina recommended that companies map out a grid showing the different rules and how different IT projects might affect them. With the grid, the company can outline which technology projects will do the most good and bring them into compliance with the most laws, and then prioritize them that way.
According to Giardina, adhering to regulatory compliance should be the minimum level of security for a company. Security technology projects also exist that make sense from a corporate standpoint, but they aren't needed for security reasons.
2. Payment Card Insurance (PCI) compliance is a problem for more than 85 percent of merchants.
Visa and MasterCard have required compliance for more than 18 months so merchants could protect themselves from being subject to fines resulting from a data breach. But less than 15 percent had met PCI standards as of January 2006. Even if the percentage had doubled in the past 9 months, the majority is still short of the standard, which includes 12 different steps (http://www.pcisecurity standards.org/pdfs/pci_dss_v1-1.pdf).
First, Giardina recommended prioritizing projects based on which security holes present the highest risk to the company (i.e., adding firewalls for personal computers), and then ease of implementation.
3. Find ways to implement reasonable data security measures.
Implementing data security presents several challenges, Giardina said: Laws and regulations use the test of reasonableness of data security to determine the liability of the organization. "What's reasonable, like beauty, is in the eye of the beholder," he said.
Generally accepted guidelines might become default reasonableness standards, Giardina said. So companies are advised to maintain records of implemented security controls, policies, and enforcement of behavior that are reasonable. If a security breach should occur, it will not leave them liable for negligence.
And what is reasonable? The ability to cite best practices and industry benchmarks of technology deployments to demonstrate that your enterprise security program is reasonable, Giardina said.
4. Reduce high-risk behavior.
Companies are advised to reduce high-risk behavior, which continues despite company policies against it and security software designed to prevent it, according to Giardina. High-risk behaviors include transferring confidential data via e-mail or messaging applications, connecting unapproved devices (i.e., PDAs, personal laptops) to the network, accessing unauthorized data or unencrypted data on desktop or laptop computers, and copying confidential data using USBs or removable media. …