The first step in securing your customer’s and employee’s private information is knowing what you collect and who has access to it. You need to list all the data you collect – account numbers, credit card numbers, email addresses, bank account information, birth dates, Social Security Numbers and other sensitive information. Inventory all computers, notebooks, flash drives, disks, backup tapes, home computers, smart phones, digital copiers and printers, digital fax machines, desk drawers and tops, filing cabinets, brief cases, home office and other equipment.
Then you need to trace how the information flows through you organization. Start with how information is collected and follow each item to final storage. Who sends it to you and how. Where and how long is it kept at each point in the process. Who touches and sees it. Does an application stay in an in-box on a desk?
Determine which employees need access to each piece of information. Then create policies and procedures to limit access to only the authorized employees. Look for points in the information flow where unauthorized people might be able to see it – employees, customers, the cleaning crew and third party out-sourced companies.
Once you know what you have and who has access to it, you should also consult with your attorney. Are there any laws you need to be compliant with for your industry?
You cannot secure what you don’t know you have.
Pingback: Business Culture of Security: Do you audit your vendors? | Bruce Demarest Creating Cultures of Security