My Data ...
(Continued from page 23)
2. Data Encryption. Effective, enterprise-wide data encryption wherever your data is stored,
transmitted (i.e. email), accessed or located on portable devices (laptops, thumb drives, cell
phones, backup tapes, etc.) is a requirement and traditionally has a 70 to 1 return on your
protection investment.
3. User Access Control and Regular Access Recertification. Your users are your single greatest
data strength if adequately trained and audited and your largest weakness if they are not.
Use a process of least rights; i.e. the person accessing the data should only be able to interact
with the data required to complete their documented job description – no more, no less.
Don’t forget to include the personnel with enhanced access, those with superuser, domain or
administrator levels of access, as they hold all the keys to your data. People move and change
jobs within an organization and it is critical to re-certify all users’ access on an ongoing basis.
4. Vendor Audits. OCR stated in May 2016 that the Business Associate (BA) Agreement may
not be the only HIPAA compliance assurance required. It is advisable, with the ever-growing
and enhanced use of outsourced services, Cloud vendors, managed security providers and
third parties who somehow interact with your protected data, that you, as part of your risk
assessment, fully document the need for those additional assurances, then gather the needed
data to assure their compliance with the laws and regulations that affect you. This is critical
as your vendors are normally seen as your second largest risk area for data loss.
5. OpenDNS, “Umbrella” agents and other tools. It is time to start exploring these types of
advanced services to protect you from malicious access to data and your users from phishing,
pharming, malware and other threats even when not connected to your local network.
6. Whitelisting. This is the process of identifying and allowing only those sites and internet
addresses approved by the organization, which are legitimately required to send or receive
data from your organization or communicate with your company personnel.
7. Data Exfiltration Testing. Many companies do a great job blocking access and data transfers
from the “outside”, but few test and block data being sent from the internal network to the
internet. Knowing and limiting what data leaves your company and in what volume is just as
important as blocking malicious incoming data.
8. Security Awareness Training. Don’t scrimp here; perform and test your training at hire, at
least annually and in response to any impermissible disclosure, security incident or data
breach. Testing your training can be accomplished with social engineering attacks such as
phishing campaigns or other attempts at gaining data or access such as riding the coattails of
an employee to gain access to a controlled area.
9. Penetration (aka “hacking”) Testing. Find out what the “bad guys” can actually get to.
Penetration testing is NOT a vulnerability assessment. They are two different processes.
Vulnerability assessments report on identified or suspected weaknesses in your technological
environment, while a penetration test takes those vulnerabilities and adds actions required to
see if the vulnerability can be exploited to bypass your protection processes and technologies.
10. Repeat all of the above. Implementing effective information security is not a one-time
process or action. The testing, assessments and process improvements needed for
effective information security is not solely the responsibility of your IT department as
technical, administrative and physical risks must be measured and taken into account
across the enterprise.
In closing, you cannot protect yourself from an unknown or unmeasured risk and ignoring
the needed actions will only accelerate your chances of exposing your organization to a loss,
disclosure or breach of data.
leadingageny.org
24