There is a new victim of identity theft every 2 seconds. With the plethora of personal data your business maintains, the last thing you want is to be the reason behind a data breach that causes someone’s identity to be stolen – whether that be a customer or an employee.

It’s vital to protect this data to ensure that not only your business remains protected, but your customers remain protected as well. Follow these three steps to safeguard your business’s valuable data:

Step 1: Identify the types of data that you must protect.

What type of information are you trying to protect? This is a decision that each organization makes in light of their business, regulatory requirements, etc. At a minimum, the data to be protected should include:

• An individual's first name or first initial and last name
• Social Insurance Numbers;
• Financial account numbers; credit or debit card numbers;
• Security codes, access codes, or passwords (e.g., a PIN) related to an individual’s financial accounts, credit/debit cards
• Medical information (any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional)
• Health insurance information (an individual's health insurance policy number or subscriber ID number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records)

Other information that you should consider protecting includes customer information, such as:

• Taxpayer records
• Customer transaction information, like order history, account numbers, etc.
• Financial information, like account balances, loan history, and credit reports
• Email addresses, passwords, phone lists, and home addresses (while may not be independently sensitive, they may be more sensitive with one or more of the above data elements)

Or information related to business partners, like:

• Vendors and business partners may provide some of the above information, particularly for subcontractors and independent contractors
• All of the above types of information may also be received from commercial clients as a part of commercial transactions or services
• Financial / sales projections, forecasts, M&A activity, and trade secrets

Step 2: Identify where the data is located

After you identify what information you plan to protect, you must know where the sensitive and confidential data is located. This checklist helps you identify places and equipment where you might find sensitive and confidential information. This list should help you think in broad terms about where to look for sensitive / confidential data.

This list includes devices that may pose a risk of unauthorized use/disclosure of sensitive data even if they do not directly contain the protected data. For example, a smartphone with a server password stored in its “contacts” could allow someone into the network if an individual steals the smartphone. Also, consider items stored away from the office such as a flash drive at a worker's home because these devices should also be evaluated for potential risk.

DEVICES

• Computers
• Laptops
• Tablets
• Servers
• External Storage Arrays (e.g. Dell MD-3000)
• Network-Attached-Storage (NAS) devices
• Smartphones
• Cameras
• Voicemail Recordings
• Routers
• Video Surveillance Systems
• Reader Devices (e.g. Kindle)
• Music Players (e.g. iPod, mp3 player, etc.)
• Digital Copy Machines
• Scanners with a Storage Drive
• Fax Machines
• Phones (e.g. if phone numbers are logged)
• Medical Devices with Local Storage (e.g. ultrasound machine, MRI machine, etc.)
• Future Devices Not Yet on the Market
• Any Other Device that may Store or Allow Access to electronic data

OFFLINE MEDIA

• Compact Discs (CD-ROMs, such as copies of radiographs)
• DVDs
• Thumb Drives, a.k.a. Flash Drives
• External Hard Drives such as USB, eSATA, or Firewire
• Backup Tapes
• SAN Disks (e.g., storage for cameras)
• Smart Cards (used for secure log-in in some organizations)
• Encryption Keycards
• Door Keycards
• Floppy Disks
• Iomega Disks
• Hard Drives (e.g. secondary backup drives or stored hard drives from old computers)
• Any Other External Media Type

OFF-SITE SERVICES

• Off-site Backup Servers
• Off-site Hosted Services
• Websites
• FTP Sites
• E-mail Spam Filtering Services
• Web Filtering Services
• Any Other Off-site Service that may be Relevant

DATA IN TRANSMISSION

• Internal e-mail
• External e-mail
• FTP
• Web Traffic
• WebDAV
• Peer-to-Peer File Sharing
• File Sharing (LAN-based, such as between workstations and a server)
• SQL or Other Database Traffic
• Any Other Type of Data Transmission

REMOTE ACCESS

• Webmail
• POP3 e-mail
• IMAP e-mail
• Outlook Anywhere e-mail
• ActiveSync e-mail Syncing to a Phone
• BlackBerry Enterprise Server
• Remote Desktop
• Terminal Server
• VPN
• GoToMyPC
• LogMeIn
• TeamViewer
• PCAnywhere
• VNC
• Web portal
• Any Other Type of Remote Access

Step 3: Implement Controls to Protect Data

Depending on the data you are protecting along with where that data is being stored, you can decide on how to protect that data using one of the below types of controls:

Administrative Controls

Administrative controls define the human factors of security. It involves all levels of personnel within an organization and determines which users have access to what resources and information by such means as training & awareness, disaster preparedness and recovery plans.

Provide Workforce Training

• Online Training
• Training Guides
• Awareness Posters

Implement Policies & Plans to Mitigate Risks

• Backups & Retention Policy
• Business Continuity Policy
• E-mail Policy
• Human Resources Security Policy
• Information Classification Policy
• Information Security Policy
• IT Document Management Policy
• Security and Confidentiality Acknowledgment
• Data Backup Plan Development Guide
• Disaster Recovery Plan Development Guide
• Emergency Mode Operations Plan Development

Technical Controls

Technical controls use technology as a basis for controlling the access and usage of sensitive data throughout a physical structure and over a network. A wide variety of technologies and technical protocols are available and recommended for establishment and maintenance of a strong information security program.

Implement Policies & Plans to Mitigate Risks

• Information Classification Policy
• Password Management Policy
• Protection Against Malicious Programs Policy
• Vulnerability Management Policy
• Access Control Policy
• Patch Testing Policy

Physical Controls

Physical controls are the implementation of security measures in a defined structure used to deter or prevent unauthorized access to sensitive material. Protecting sensitive data involves a variety of physical components, including facility access controls, workstation use and security and hardware management.

Implement Policies & Plans to Mitigate Risks