We’ve begun to see news headlines where organisations receive fines for lack of adequate data protection. Regulators will never be able to police every non-compliant company, so what’s the data protection regulation for in most cases?
While the GDPR is an enforcement framework, it is also a set of guiding principles that you can use to build a data protection framework. This is why we think the GDPR is really about “Getting Data Protection Right”.
We’ve studied the regulation and used it to create a framework consisting of nine pillars of data protection. If you travel naturally down the path of GDPR compliance and implementa these nine pillars, you’ll improve your businesses data handling as well as reduce the possibility of being sanctioned.. In this article, we look at the fifth pillar: Data Security Policies. We’ll review the different types of data security policies and offer a solution for generating them.
Documenting security configurations, OS configurations, and other IT configurations is the work of security managers or security engineers. These tasks sound unproductive, but they’re vital. Why?
In our world, where even the smallest companies use technology to do their day-to-day work, it’s better to record and track the configuration of that technology to ensure the smooth running of the business. The practice of documenting has several benefits:
Computer hacking via weak or stolen passwords tops many lists for cybercrime It’s a common data breach cause. Hence, it’s always advisable to create robust policies for password use.
A useful password policy should consider:
Account management policies are broader in scope than password policies. They cover topics such as account-user access and levels of access, the principle of least privilege for new account creation (only giving access to minimum and required resources), and multi-factor authentication. Password policies often feature as a subset of account management policies.
As part of an efficient data-protection framework, companies need policies in place which govern the use and configuration of antivirus software, firewalls, and databases. Let’s take a quick look at each of these.
Antivirus policies for workstations and servers control the software in various ways:
The role of antivirus software is to disable the tools hackers use to infiltrate your computer or network. For more direct attacks such as SQL injections, businesses put firewalls in place.
Firewalls come in two main forms; network-based and host-based. The latter is installed directly on individual PCs as software, while the former resides in the cloud or on a dedicated server and filters traffic between the Internet and a LAN. A firewall policy defines how a firewall should handle various types of traffic and which firewall features are enabled or disabled.
Best practice for creating a firewall ruleset is to block traffic by default and be as precise as possible about who can access what using available parameters (e.g. source and destination IP addresses, destination port). The same “principle of least privilege” applies here as elsewhere.
The security policies for a database may encompass many areas, including these:
For many businesses, designing good security policies is a challenge. And yet they’re crucial for companies of all sizes. You need them to make sure they are appropriate to your risks, define them, implement them and communicate the procedures and best practices to staff so they are aware of their responsibilities.
While it’s not possible to create high-quality security policies automatically using our templates can be your point of departure. They will make Generating data-protection and acceptable-use policies easier by making sure you’ve at least considered standard practices. get started today by booking a demo!