| REVIEW | With the introduction throughout the United States more different bills, measures to enterprises in order to avoid costly regulatory fines need to be taken only become more complicated. Data protection regulations will become more stringent, you need to make sure the customer is always best interests at heart. Data protection regulations will become more stringent. You always need to ensure that the best interests of the customer's mind. |
Since the entry into force of the EU's "common data protection regulations," California and New York, respectively, successfully passed the "California Consumer Privacy Act" (California Consumer Privacy Act, CCPA ) and "prevent hacking and improve electronic data security bill" (Stop Hacks and Improve Electronic Data Security, SHIELD) . There are still 12 states data protection legislation pending approval, it is expected this figure will increase.
With the introduction throughout the United States more different bills, measures to enterprises in order to avoid costly regulatory fines need to be taken only become more complicated. These issues have been the answer, you'll sleep better at night. Those who have already planned to deal with attacks or in the implementation of these guidelines should be confident that their business will be in the best interests of customers in mind.
Implement privacy and security by design, it is a way to start the initiative to integrate privacy and data protection. This approach follows the seven principles, in order to gradually achieve the target in the IT and business environments. In particular the technical, operational, and network architecture design process, the early advocate of privacy and security will ensure that you build proven processes throughout the design lifecycle.
An encryption key is essential for the protection of data processing and data storage. Key management level should correspond to the level of the key functions of these keys serve. I strongly recommend regularly updated encryption key and stored separately from the data. Essentially data always moves when it moves across the boundary, the need for protection of information and still strong encryption its transmission.
Data should always be classified as non-sensitive data and sensitive data, and can only be accessed by authorized employees have a legitimate business reason. Using role-based permissions and "as needed" to limit will help to protect your data. It is strongly recommended to always use non-shared user name and password with multi-factor authentication, which will verify each user. In addition, each year at least one visit should be reviewed; this will ensure appropriate access to the right people.
In today's digital world, has a disaster recovery (DR) and backup environment is a must. DR and business continuity (BC) plan must be in place, all stakeholders should be informed of their roles. DR and BC plans should be tested once a year, and lessons learned. Hundreds of miles separate production and backup location data security can be improved when the occurrence of a natural disaster or man-made disaster.
Assessment should be throughout the year. Your team should be assessed against information systems and operating environments of the area. All assets (internal and external) to make these assessments is very important. Your analysis should be completed in five steps:
-
Identify and prioritize the asset
-
Identifying Threats
-
Identify vulnerabilities
-
Analysis Control
Understand the likelihood of events occurring, and understand the impact that the threat might have on your system.
No matter who is handling your data, you should have a data retention scheme. Plan will ensure that you delete data within a certain time frame. After setting the data retention plan and understand what can be deleted, you should follow the correct deletion and destruction of data security best practices. Follow industry standards, such as the National Institute of Standards and Technology (NIST), will ensure that your employees know how and when to destroy and delete data. Any data cleaning method in line with NIST 800-88 guidelines should be allowed to use.
Your business should have a robust incident response (IR) program and data leakage, and should be tested annually. IR team management should be the responsibility IR process, prevent attacks and to prevent further loss when an event occurs, in order to prevent attacks from happening again make improvements, and report the results of any security incidents.
Your plan should be based on internal industry leader in the development, and covers the following three stages:
-
The first stage: detection, classification and evaluation.
-
Phase II: containment, collection of evidence, analysis and investigation and remediation.
-
The third stage: the repair, restoration and reflection. We must promptly notify the customer, which should be detailed in your agreement.
You should enable logging, in order to establish a sufficient audit trail for all access to sensitive data. Logging should be executed at the application level. It should be automatic audit trail to reconstruct the system events, and should protect them from being modified by any way. File integrity monitoring should be used to ensure the confidentiality, integrity and availability of all customer data.
Your business needs to know in advance that it is collecting information. You should strictly abide by the latest security and privacy regulations, in order to avoid any legal problems. If your organization is collecting any data about customers (eg, IP address, location, etc.), your privacy policy must apply to all customers. Your privacy policy should take into account all major stakeholders, legal team, marketing team and security issues.
This switched: https://www.linuxprobe.com/several-elements-of-data-security.html