Step 2: Perform a company-wide risk assessment/inventory

Internally, there are steps an organization can take on a daily, weekly, monthly or quarterly basis that may mitigate the initial damage of a data breach, or catch a potential breach before it occurs, with or without the need of a third-party to intercede.

When thinking of a risk assessment, it's easy to only think in terms of information technology security, but with human error at the top in the data breach equation-lost or stolen laptops, disk drives, USB drives, backup tapes-a complete and comprehensive assessment that goes above and beyond the IT department is imperative.

• IT Systems - Assess all Internal hardware and software. Are we-the organization--utilizing 128 bit encryption for file transfers, file uploads, web servers, email servers, data in motion, data at rest? Do we employ tools such as intrusion detection/intrusion prevention (IDS/IPS)? Who has access to computer mainframes, databases, passwords, and any other area where sensitive data is stored? Do we monitor network and system performance, disk usage, Internet activity, and access routines? Do we utilize network security monitoring tools, security event and log correlation and analysis tools?
  
  
• Data and document disposal - Who handles the retrieval and disposal of all sensitive data and documents? What are the current procedures for proper disposal? Are records physically thrown away? Are we following state and federal guidelines in document disposal?
  
  
• Third-party vendors - How do the third-party vendors handle and store customer's data? How do we-the organization-confirm that the third party is compliant in properly using and disposing of customer data? Who verifies the third-party company?
  
  
• Human Resources - How does the HR department retrieve, disseminate and dispose of sensitive information such as Social Security Numbers, employee resumes, employee credit check information, and background criminal checks? What are the practices and procedures for the HR department? How does the HR department respond and evaluate employee exit strategies?

                    

Print this page

Send this page to a friend

Data Breaches Part I - Is it possible to prevent the inevitable? Introduction Step 1: A Good Defense is an Offense Step 2: Perform a company-wide risk assessment/inventory Step 3: Educate employees on breach/data security Step 4: Create a pre-breach containment and communication plan Step 5: Create a rapid response and internal audit/compliance team Epilogue: Spend now or pay later Data Breaches Part II Five Steps to manage a data breach Introduction New changes to PCI DSS Self Assessment Questionnaire Step 1: Spot/investigate the breach Step 2: Circle the wagons: Deploy the rapid response team Step 3: Create a Notification Plan Step 4: Implement the Notification/Communications Plan Step 5: Perform a response audit after the event Navigating state disclosure laws Outsourcing data breach response to a third-party Recommended reading PCI Compliance Polls Are you currently PCI Compliant? Yes No Working towards compliance Why are you looking at PCI Compliance Required By Credit Card Processor Required By Bank Want to meet industry standards Looking to secure network What merchant level do you fall under for PCI Compliance? Level 1 Level 2 Level 3 Level 4 I have no idea View PCI Merchant Level Results View All PCI Compliance Poll Results EV SSL Certificate Guide Sponsored Listing: