Is Data Privacy part of your Company's Culture?

Published: 2016-07-03
Last Updated: 2016-07-03 22:35:14 UTC
by Guy Bruneau (Version: 1)
3 comment(s)

I was reading a while back about the FDIC data lost who had 5 major breaches between Oct 30, 2015 (taxpayers’ personally identifiable information) and could have been prevented with a combination of host based and network controls to prevent sensitive data from leaving the network. According to the information released, the breaches occurred because individual copied data to USB drives which then left the premises. A strong and effective security policy restricting access to USB drive could have helped prevent this. All removable drives should be encrypted and limit who can write to a removable drive for accountability.

Here are three tips I think can help:

1- Have HR involved and provide awareness training [1] on a regular basis

Have the human resource (HR) department do awareness training on a regular basis with an emphasis on the organization access data policy and explain the consequences to the company and the individual when data is lost. If the data policy changes, HR must explain clearly what those changes are and why they were implemented.

2- Track, tag and audit sensitive data

It is possible to protect corporate data by tagging and classifying it properly. Employees should have access to the data they need to do their job (need to know) and nothing else. Auditing and reporting who access what help understanding if the proper controls and safeguard are working. These controls should also be applied to who print what documents. For example, if you do business in the EU, in May 2018, the EU [2] is implementing a new directive on data protection. This update means stiffer penalty of "[...] up to 4% of their global annual turnover."[3]

3- Encrypt all external devices and identify who can transfer sensitive data?

First, having all external devices used to copy sensitive data encrypted is a good idea, if it get lost, it cannot be access without the proper encryption key. Next, have a policy that identify who can copy and save data sensitive data on an external media. As per Item #2, track, audit and report when that data was access or transferred and by whom.

Is Data Privacy part of your Company's Culture? Do you feel the policy use to protect data within your organization is adequate?

[1] https://securingthehuman.sans.org/
[2] http://ec.europa.eu/justice/data-protection/reform/index_en.htm
[3] http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm
[4] https://technet.microsoft.com/en-us/magazine/2007.06.grouppolicy.aspx

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

3 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives