Advertisement
Promo

Compliance Toolkit

Keep your sensitive data secure

Mike Mullins

Published: 06 Jul 2006 15:35 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Is your organisation responsible for complying with one or more of the many privacy-related pieces of legislation that have been introduced over the past decade? It's a good bet that it is.

Whether it's the Health Insurance Portability and Accountability Act (HIPAA), which addresses healthcare information, the Gramm-Leach-Bliley Act (GLBA), which addresses financial information, or even the Family Educational Rights and Privacy Act (FERPA), which addresses education information, chances are that one of these affects your organisation in some way.

Compliance is nothing to fool around with, and it's imperative that your organisation understands its responsibilities for safeguarding protected data. Protected data is any information that someone could use to identify an individual. Information protected by legislation can include:

  • Salary and fringe benefits (except for federal employees)
  • Terms of employment (including performance and disciplinary records)
  • Academic and educational history
  • Criminal investigation and arrest history
  • Employment history (including general or security clearance information)
  • Biographical history
  • Social Security information
  • Identification codes
  • Personnel profile (including home address and phone number)
  • Medical history

Your organisation's network obviously contains and/or processes protected sensitive information. Unauthorised disclosure of such sensitive information could adversely impact your organisation with both civil and criminal liabilities. To protect yourself and your company, it's vital that you implement some extra precautions.

Administrator responsibilities
If you're responsible for the security of your company's network, then you're also responsible for overseeing the day-to-day collection, storage and use of personal data subject to such legislation. You must apply adequate data security safeguards to protect data from the following:

  • Inappropriate disclosure
  • Improper use
  • Access by unauthorised or unapproved users
  • Data tampering

Individuals who fail to follow specific requirements can face large fines for violations, as well as misdemeanour charges. That's one more reason your organisation needs to take appropriate security measures to protect sensitive information. But don't forget that security measures, no matter how solid, are only as good as the educated employee who wants to do the right thing.

Employee responsibilities
An organisation's users are potentially the weakest link in your security efforts. You've heard it before, but it's worth repeating: Educate your users.

To better protect sensitive data, train all users to do the following:

  • Label all media (for example, discs and documents) containing sensitive information
  • Securely store sensitive information
  • Immediately notify supervisors of any security breach
  • Don't send unencrypted sensitive information via email
  • Log off or use a screen saver with a password when leaving workstations unattended
  • Erase all data from hard disks before sending PCs off-site for maintenance
  • Store data on network drives instead of workstations
  • Be on the lookout for hardware keystroke loggers

Final thoughts
Privacy-related legislation grew out of a concern over the potential misuse of the vast amounts and types of personal information collected and maintained on corporate networks, which store, manipulate and transmit the data for a variety of reasons. Don't become a statistic in the news by mishandling protected information — protect that information with adequate safeguards, and train your users to do the same.

Mike Mullins has served as an assistant network administrator and a network security administrator for the US Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Centre.

 

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
70 out of 191 people found this useful


Full Talkback thread

0 comments

Company/Topic Alerts

Create a new alert from the list below:





Video icon

Video

Cloud Watch Special Report

Five cloud computing myths exploded

Five cloud computing myths exploded

Analysis The cloud is providing a fertile habitat for the marketeers and their exaggerated claims. We examine the hokum and debunk the five most frequently peddled misconceptions about the cloud

More Special Reports

Sentry Posts Blog

DNA details of innocent will be kept f...

The government has announced that it plans to keep innocent people's DNA details for up to six years. In response to a consultation it launched last December, the government said... More

1 comment

Motorola Droid Drops Today: Happy Droi...

Motorola Droid Drops Today: Happy Droid Day America! Author: Eric Everson, Mobile Security Expert If you’re wondering what all of the buzz is about with words like Droid and Android... More

Post a comment

Mobile Security Profile: BlackBerry St...

Mobile Security Profile: BlackBerry Storm2 Author: Eric Everson BlackBerry handsets are a staple of office culture; from syncing calendars to sharing business-related data,... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

Newsletters