We’ve begun to see news headlines where organisations receive fines for lack of adequate data protection. Regulators will never be able to police every non-compliant company, so what’s the data protection regulation for in most cases?While the GDPR is an enforcement framework, it is also a set of guiding principles that you can use to build a data protection framework. This is why we think the GDPR is really about “Getting Data Protection Right”.We’ve studied the regulation and used it to create a framework consisting of nine pillars of data protection. If you travel naturally down the path of GDPR compliance and implementa these nine pillars, you’ll improve your businesses data handling as well as reduce the possibility of being sanctioned.. In this article, we look at the fifth pillar: Data Security Policies. We’ll review the different types of data security policies and offer a solution for generating them.
Document Your Security and Operating System ConfigurationsDocumenting security configurations, OS configurations, and other IT configurations is the work of security managers or security engineers. These tasks sound unproductive, but they’re vital. Why?In our world, where even the smallest companies use technology to do their day-to-day work, it’s better to record and track the configuration of that technology to ensure the smooth running of the business. The practice of documenting has several benefits:
- Reducing the risk of outages and data breaches and the harm they cause.
- Helping quickly identify configuration errors made by administration staff.
- IT staff can restore service faster if they have base configuration and change records.
- Helps IT staff to design safe, non-disruptive future changes to configurations.
- Reducing costs by identifying or avoiding overlapping functionality.
Password and Account Management PoliciesComputer hacking via weak or stolen passwords tops many lists for cybercrime It’s a common data breach cause. Hence, it’s always advisable to create robust policies for password use.A useful password policy should consider:
- Limiting the number of times a password can be reused or how long it is usable.
- Setting minimum limits for length and complexity. This makes passwords harder to crack.
- Requiring passphrases are harder to crack than passwords yet easier to remember.
- Auditing passwords and password changes to help track security threats.
- Blocking account for wrongly entered passwords.
Antivirus, Firewall and Database PoliciesAs part of an efficient data-protection framework, companies need policies in place which govern the use and configuration of antivirus software, firewalls, and databases. Let’s take a quick look at each of these.
Antivirus PoliciesAntivirus policies for workstations and servers control the software in various ways:
- Timing: when to scan for viruses and download new definitions.
- Functionality: how the software handles unwanted programmes and spyware.
- Emails: method of email scanning and how harmful messages and attachments are reported.
- Identity theft measures: configuration that protects user identities and web-browsing.
Firewall PoliciesFirewalls come in two main forms; network-based and host-based. The latter is installed directly on individual PCs as software, while the former resides in the cloud or on a dedicated server and filters traffic between the Internet and a LAN. A firewall policy defines how a firewall should handle various types of traffic and which firewall features are enabled or disabled.Best practice for creating a firewall ruleset is to block traffic by default and be as precise as possible about who can access what using available parameters (e.g. source and destination IP addresses, destination port). The same “principle of least privilege” applies here as elsewhere.
Database PoliciesThe security policies for a database may encompass many areas, including these:
- Acceptable usage policies restrict the ways employees or others can use the internet or network.
- Authentication controls ensure people accessing the database are who they say they are.
- Backup policies stipulating what data must be backed up when and by which means. Encryption policies to ensure data is encrypted.
- Physical security policies defining physical access to buildings, data centres and servers.
- System maintenance policies defining time scales and methods for patching, purging and updating.