Data Security - Top 10 Best Practices
CIO's and IT Managers' are challenged to meet compliance requirements for data security and at the same time meet the data requirements of a full range of desperate users
They are tasked with protecting an organization's data, but often without the business-context needed to do this effectively. When considering how valuable an organization's data is, a 'best guess' scenario is not enough. There are certain best practices that CIOs and IT departments should follow to keep data secure and protected, while still allowing authorized users to have the access to the data and information they need in a timely manner.
A company's data is typically is protected by access control lists containing security groups and particular organizational roles. Users are assigned to a security group depending on their role in the company and/or organizational need.
There are best practices that CIOs need to implement in order to protect a businesses' data:
- Understand who is accessing data via frequent auditing and real-time monitoring of data access - A comprehensive record of access is vital to the effective management of any data. A proper record of data use, allows an organization to answer critical questions, such as who deleted particular files, what data specific individuals use and what is not being used. It will also allow a business to answer more complicated questions such as who owns a particular data, which data support a particular business unit and how can data be locked down without disrupting work-flows.
- Keep current records on data access permissions - CIOs cannot effectively manage any data without understanding that can and can't access it. All too often IT cannot quickly and easily answer data protection questions such as who has access to a particular data? Or what data a user or group does have access to? IT must be able to answer these questions accurately and quickly for data protection and management projects to work.
- Classify data by sensitivity - While all a company's information needs to be protected, some information needs that protection more urgently. Audit trails, data classification technology and access control information help businesses to identify active and stale data, as well as data that is sensitive, classified or internal, and data that is accessible to many people.
- Minimize and remove global access rights - Sometimes folders on file shares have access control permissions allowing 'everyone' or 'all domain users' to access the data they contain. This is a significant potential risk, as any information housed in that folder will inherit those permissions, and those who place information in these wide-open folders may be unaware of the unsecured settings. Sensitive data, such as PII, credit card information, intellectual property or HR information can lead to enormous security problems.
- Identify data owners and users - An organization's technical department should maintain a list of data business owners and the data they own. Through this list, CIOs and IT departments can expedite many of the previously identified tasks, such as verifying permissions revocation and review and identifying data for archival. Ultimately, being able to identify the data owners will lead to a marked increase in the accuracy of data entitlement permissions and, in turn, data protection.
- Include data access reviews when individuals are transferred, promoted, or terminated - When an individual within a company changes their role, that user should more than likely no longer have access to data resources that they no longer need. In order to do this successfully, the business must know at the very minimum what data and which security groups require review, which groups grant access to which data and who owns a particular data set. Performing these reviews will make sure that can only be accessed by individuals who strictly need it.
- Align groups to data ownership and management - When data access is controlled by groups, it is vital that the groups are properly aligned with the data they are in place to protect. A group should have the ability to grant access to the data that are control and nothing else.
- Audit permissions and group changes - Access control lists play a vital role in protecting data from loss, tampering or exposure. Group membership should be authorized and reviewed by the owner of the data or resource to which the group provides access.
- Lock down, delete or archive stale, unused data - A significant amount of data housed on unstructured and semi-structured platforms is stale. By archiving stale or unused data to off-line storage or deleting it, IT makes the job of managing the remainder simpler and easier, while freeing up an expensive resource.
- Clean up security groupings - Unneeded complexity hampers performance and facilitates mistakes. Businesses create so many groups that they often have as many as they do users and many of these groups are likely to be empty, unused or redundant. Access control lists often contain references to previously deleted users and groups and these groups must be identified and re-mediated.
Security Manual - Comprehensive, Detailed, and Customizable
The Security Manual is over 240 pages in length. All versions of the Security Manual Template include both the Business IT Impact Questionnaire and the Threat Vulnerability Assessment Tool (they were redesigned to address Sarbanes Oxley compliance).
In addition, the Security Manual Template PREMIUM Edition contains 16 detail job descriptions that apply specifically to security and Sarbanes Oxley, ISO security domains, ISO 27000 (ISO27001 and ISO27002), PCI-DSS, HIPAA, FIPS 199, and CobiT.
The Security Manual has recommended policies, procedures and written agreements with employees, vendors and other parties who have access to the company's technology assets. To make this process as easy as possible, Janco provides 18 formatted electronic forms for distribution and documentation. All forms are in easy-to-edit Microsoft Word templates so all you need to do is add your corporate logo, make your own additions and changes and your task of policy and procedure documentation is nearly complete!
The forms included are:
- Application & File Server Inventory
- Blog Policy Compliance Agreement
- BYOD Access and Use Agreement
- Company Asset Employee Control Log
- Email Employee Agreement
- Employee Termination Procedures and Checklist
- FIPS 199 Assessment
- Internet Access Request Form
- Internet and Electronic Communication Employee Agreement
- Internet use Approval
- Mobile Device Access and Use Agreement
- Mobile Device Security and Compliance Checklist
- New Employee Security Acknowledgment and Release
- Outsourcing and Cloud Security Compliance Agreement
- Outsourcing Security Compliance Agreement
- Preliminary Security Audit Checklist
- Privacy Compliance Policy Acceptance Agreement
- Risk Assessment (pdf & docx)
- Security Access Application
- Security Audit Report
- Security Violation Procedures
- Sensitive Information Policy Compliance Agreement
- Server Registration
- Social networking Policy Compliance Agreement
- Telecommuting Work Agreement
- Text Messaging Sensitive Information Agreement
- Threat and Vulnerability Assessment Inventory
- Work From Home Work Agreement
Data Security and Protection are a priority and this template is a must have tool for every CIO and IT department. Over 3,000 enterprise worldwide have acquired this tool and it is viewed by many as the Industry Standard for Security Management and Security Compliance.
Security Manual Template purchase options
Security Manual Template - Standard Edition
- Business and IT Impact Questionnaire
- Threat and Vulnerability Assessment Toolkit
- Security Management Checklist
- Full Detail Policies for
- Blog and Personal Website Policy
- Internet, Email, Social Networking, Mobile Device, and Electronic Communication Policy
- Mobile Device Policy
- Physical and Virtual File Server Policy
- Sensitive Information Policy
- Travel and Off-Site Meeting Policy
- Job Descriptions for the Chief Compliance Officer, Chief Security Officer, Data Protection Officer, Manager Security and Workstations, Manager WFH Support, Security Architect, and Systems Administrator.
- Work From Home (WFH) operational rules
- HIPAA Audit Program
- GDPR Compliance Checklist to meet EU Requirements
- CCPA - California Consumer Privacy Act requirements definition
- Consumer Bill of Rights
- Sarbanes Oxley Section 404 Checklist
- Security Audit Program- fully editable -- Comes in MS EXCEL and PDF formats -- Meets GDPR, ISO 28000, 27001, 27002, Sarbanes-Oxley, PCI-DSS, HIPAA FIPS 199, and NIS SP 800-53 requirements -- Over 400 unique tasks divided into 11 areas of audit focus which are the divided into 38 separate task groupings
- Electronic forms that can be Emailed, completed via a computer or tablet, and stored electronically including: Blog Policy Compliance, BYOD Access and Use, Company Asset Employee Control Log, Email - Employee Acknowledgment, Employee Termination Checklist, FIPS 199 Assessment Electronic Form, Internet Access Request, Internet Use Approval, Internet & Electronic Communication - Employee Acknowledgment, Mobile Device Access and Use Agreement, Employee Security Acknowledgment Release, Preliminary Security Audit Checklist, Risk Assessment, Security Access Application, Security Audit Report, Security Violation Reporting, Sensitive Information Policy Compliance Agreement, Server Registration, and Threat and Vulnerability Assessment
- eReader version of the Security Manual Template
Security Manual Template - Premium Edition
- Security Team Job Descriptions MS Word Format
- Chief Compliance Officer (CCO); Chief Security Officer (CSO); VP Strategy and Architecture; Data Protection Officer (DPO); Director e-Commerce; Database Administrator; Data Security Administrator; Manager Data Security; Manager Facilities and Equipment; Manager Network and Computing Services; Manager Network Services; Manager Training and Documentation; Manager Voice and Data Communication; Manager Wireless Systems; Identity Management Protection Analyst, Information Security Analyst, Network Security Analyst; System Administrator - Linux, System Administrator - Unix; and System Administrator - Windows
Security Manual Template - Gold Edition
- IT Job Descriptions MS Word Format - Updated to meet all mandated security requirements
- 312 Job Descriptions from the Internet and IT Job Descriptions HandiGuide in MS Word Format including all of the job descriptions in the Premium Edition. Each job description is at least 2 pages long and some of the more senior positions are up to 8 pages in length.