Roadmap to Data Privacy Compliance
For organizations storing Personally Identifiable Information (PII) or Protected Health Information (PHI), a security audit may be on the horizon. Companies concerned about how they protect their sensitive data, or are just beginning to protect their data, may need some guidance on how to create a comprehensive data security plan for their organizations to meet compliance regulations such as PCI DSS and state and the proposed federal regulations. I recently sat down with Patrick Townsend, CEO & Founder of Townsend Security to discuss the steps an organization should take when re-evaluating or embarking on a data security project.
A Roadmap to a Comprehensive Data Security Plan:
1. Develop a Data Security Plan based on these questions:
a. What are my organization’s policies and procedures around data protection?
b. Where does our data live?
c. Who has access to our data vs. who should have access to our data?
d. Do we conduct routine vulnerability scans?
e. Do we use proper system logging, encryption and key management?
2. Get an IT Security Assessment
a. Perform a data security assessment with in in-house consultant, security audit firm, or platform vendor to evaluate your current security posture.
b. Find the location of all sensitive data.
c. Evaluate the security of your tape encryption.
3. Implement your Security Plan with proper encryption and key management so that you can answer “yes” to all of these questions:
a. Is our encryption industry standard and NIST certified?
b. Is our key management FIPS 140-2 compliant?
c. Are we storing our encryption keys on a separate HSM?
d. Are we using dual control and separation of duties to reduce audit points of failure?
Once you have completed these steps, your data security posture will improve dramatically. For more information from Patrick Townsend on data security and compliance, watch this webinar “Four Solutions for Data Privacy Compliance”.