20 years ago, IT systems were huge mainframes and information was stored on tapes. These systems were considered to be in a closed environment – no firewall, no anti-virus protection, and you would definitely be noticed if you ever tried to share information between systems.
Today, the way we use information is drastically different. With every new technological advance comes a new set of security considerations with various levels of vulnerabilities, threats and risk levels. That’s why the Privacy Shield framework includes Security as a key pillar – it makes organizations responsible for taking reasonable and appropriate measures to protect data from loss, misuse, and destruction. Information security managers are constantly required to meet the fundamental principles of security: confidentiality, integrity, availability and traceability, what I refer to collectively as CIAT:
Confidentiality is the necessary level of secrecy which should be designated every time information or documents are created, updated, or transmitted. Think of confidentiality as having measures designed to prevent sensitive information from ending up in the wrong hands.
Integrity focuses on maintaining trustworthiness and ensures the accuracy and reliability of the information. For example, how do you prevent unauthorized users from altering data? It is common to assign permissions only to a handful of people, enable version control, and store data backups to prevent accidental deletion to our information.
Availability has more accent on systems but is also significant for the reliability and timely access to data too. Organizations have to put reasonable safeguards against data loss in unpredictable events such as system failure, natural disasters, or, as we have seen in recent cases, ransomware attacks. Having a backup copy of your data ensures your business has the ability to continue operating in such occurrences.
Traceability, also known as audit trail, is often a prerequisite for accountability. Traceability is ensured by providing a detailed log of the actions done by a user who can be held responsible in some occasions such as:
- Suspicious activities from employees after business hours or on their last working day: Ex-employees tend to leave with company data on their last days of work. Having a solution that monitors and audits such suspicious activities could help prevent possible data leakage before it’s too late.
- Loss of data: Employee activities like deleting important documents un/intentionally could be commonly seen in eDiscovery or legal investigations.
You may trust your employees, but it’s always better to have more control where possible.
Best Practices for Data Security
As systems become more and more integrated into business and personal activities, unexpected interruptions (i.e. data breaches) have much more potential to severely disrupt our lives. Nowadays, information is worth as much as gold – or even more depending on the consequences you would face if the information were exposed. Data security is more than just having a password, anti-virus software, a firewall, or a shiny router. It establishes best practices that focus on protecting information throughout the entire lifecycle.
Privacy by Design
One best practice is to require adoption of these security measures as early as possible within company projects. Having Security and Privacy by Design is a key factor before implementing any of the CIAT criteria.
Privacy Impact Assessments
Understand how your employees are working with sensitive data on an everyday basis by using a Privacy Impact Assessment. Even the most common process like sharing a document internally or outside of the organization, requires companies to know:
- Is the document classified as sensitive or confidential?
- Is the recipient supposed to have access or receive the document?
- For how long does the recipient need to have access to the document?
- Should the document be encrypted or read-only if it is opened from another country?
- Do we have any monitoring or tracing mechanisms to assess who did what and when?
An employee most likely wouldn’t have all the answers to the above questions, nor the time to go through such a repetitive process for every document. However, these requirements are usually driven by company policies that mandate a layered data protection solution that would accommodate CIAT requirements. These layers should include:
- Data Discovery and Data Analysis: Understand where your sensitive data lives to identify potential risk and protect confidential information.
- Data Classification: Classify data based on content sensitivity, criticality or confidentiality. Develop a security awareness that protects organizational assets via accountability, classification, and inventory.
- Data Loss Prevention: Apply security controls and integrity layers on data based on classification. Control access to information based on business requirements or need to know basis.
- Monitoring and reporting on any unusual user activities: Track compliance whether it is aligned with the policies.
Organizations need to determine at early stages which types of documents/information are critical, how should they be protected or handled, and that everyone has a firm understanding of the CIAT criteria. More importantly, they need to understand how CIAT requirements directly relate to the company needs. A Security or Privacy Impact Assessment should be the first step in implementing a successful information lifecycle management practice in conjunction with an automated and measurable controls.
To learn more about the Privacy Shield fundamental principles, sign up for our EU-U.S. Privacy Shield Guide!