Poor data security compliance policies can make it easier for ransomware attackers to succeed in their efforts to lock up your data. As Sophos recently reported, some attackers are shifting to extortion-style attacks. Instead of simply encrypting files, they threaten to publish data unless a ransom is paid, thereby putting the victimized organization in a position where it will get slammed with regulatory fines—not to mention damage to its brand.
For this and many other reasons, compliance and information security are closely intertwined, placing even more importance on data privacy compliance as a core pillar of every security strategy.
Here’s a short list of some best practices to help your company achieve compliance and stay out of the hands of ransomware evildoers.
1. Create a compliance framework. A security or incident response framework explains how to detect, respond to, and recover from incidents. In a similar way, a compliance framework offers a structure for addressing all compliance regulations that relate to an organization, like how to evaluate internal compliance and privacy controls. A framework also helps identify the data, such as personal or sensitive data, that requires more stringent security protocols.
2. Define policies regarding what data is collected and why. This step is part of creating a framework. There are many reasons to document the what and the why of data collection. Regulators may require that such policies are spelled out; if the data comes from consumers, there may be even more stringent requirements for detailing collection policies (see #4 below).
3. Create privacy policies. Be very clear with your customers about what data is being collected, what you’re using it for, and how it is being stored and for how long. Also, be clear with customers about how they can request access to their personal data or request to “be forgotten” and have their data removed from your systems.
4. Step up the commitment to disclosures. Share, post, and maintain publicly available privacy policies. See how we do it at Pure Storage®. We detail where we get data and what we do with it.
5. Stay on top of the latest government regulations that impact compliance. A “privacy by design” operating model can help you keep up with and adjust to constantly changing regulations. It means that you’re building privacy into the design and operation of IT systems, infrastructure, and business practices—instead of trying to bolt it on after the fact. (It’s how we build our Pure Storage solutions.)
6. Solidify data retention and removal policies. This step is critical. Retention schedules dictate how long data is stored on a system before being purged, and schedules can vary by industry. The mark of a compliant, mature, and secure business is one that develops solid data retention and removal policies that are continually reviewed.
7. Choose a data encryption protocol. Establish what kind of data encryption to employ and where—on-premises, in the cloud, etc. The decisions may vary depending on where data resides. This white paper from Pure Storage and IDC can fill you in on the particulars of data encryption relating to GDPR.
8. Talk to your CISO about network controls. Since compliance is closely related to security, bring your CISO into conversations about network appliance configuration, least privilege access control, event logging, and multifactor authentication.
9. Anonymize sensitive data. When required, data should be anonymized to remove personally identifiable information with masking, tokenization, hashing, or anonymization.
10. Document how you’ll notify all parties affected by a breach. Under GDPR, such notifications are mandatory—and you definitely want the notification process to go off without a hitch.¹ Decide who’s responsible for getting the word out, how you’re resolving the issue, and what you’re doing to prevent breaches from happening again.
Leveraging data comes with immense opportunity, but it also comes with responsibility. If your business is a believer in the “data is the new oil” piece of wisdom, then you also need to embrace compliance—because, without it, the data may not be yours for much longer.
Download 10 Questions to Ask Your CISO or Privacy Officer to make sure your data security policies are dialed in from every angle.