Adviser Vol. 3 2016 | Page 25

My Data ... (Continued from page 23) 2. Data Encryption. Effective, enterprise-wide data encryption wherever your data is stored, transmitted (i.e. email), accessed or located on portable devices (laptops, thumb drives, cell phones, backup tapes, etc.) is a requirement and traditionally has a 70 to 1 return on your protection investment. 3. User Access Control and Regular Access Recertification. Your users are your single greatest data strength if adequately trained and audited and your largest weakness if they are not. Use a process of least rights; i.e. the person accessing the data should only be able to interact with the data required to complete their documented job description – no more, no less. Don’t forget to include the personnel with enhanced access, those with superuser, domain or administrator levels of access, as they hold all the keys to your data. People move and change jobs within an organization and it is critical to re-certify all users’ access on an ongoing basis. 4. Vendor Audits. OCR stated in May 2016 that the Business Associate (BA) Agreement may not be the only HIPAA compliance assurance required. It is advisable, with the ever-growing and enhanced use of outsourced services, Cloud vendors, managed security providers and third parties who somehow interact with your protected data, that you, as part of your risk assessment, fully document the need for those additional assurances, then gather the needed data to assure their compliance with the laws and regulations that affect you. This is critical as your vendors are normally seen as your second largest risk area for data loss. 5. OpenDNS, “Umbrella” agents and other tools. It is time to start exploring these types of advanced services to protect you from malicious access to data and your users from phishing, pharming, malware and other threats even when not connected to your local network. 6. Whitelisting. This is the process of identifying and allowing only those sites and internet addresses approved by the organization, which are legitimately required to send or receive data from your organization or communicate with your company personnel. 7. Data Exfiltration Testing. Many companies do a great job blocking access and data transfers from the “outside”, but few test and block data being sent from the internal network to the internet. Knowing and limiting what data leaves your company and in what volume is just as important as blocking malicious incoming data. 8. Security Awareness Training. Don’t scrimp here; perform and test your training at hire, at least annually and in response to any impermissible disclosure, security incident or data breach. Testing your training can be accomplished with social engineering attacks such as phishing campaigns or other attempts at gaining data or access such as riding the coattails of an employee to gain access to a controlled area. 9. Penetration (aka “hacking”) Testing. Find out what the “bad guys” can actually get to. Penetration testing is NOT a vulnerability assessment. They are two different processes. Vulnerability assessments report on identified or suspected weaknesses in your technological environment, while a penetration test takes those vulnerabilities and adds actions required to see if the vulnerability can be exploited to bypass your protection processes and technologies. 10. Repeat all of the above. Implementing effective information security is not a one-time process or action. The testing, assessments and process improvements needed for effective information security is not solely the responsibility of your IT department as technical, administrative and physical risks must be measured and taken into account across the enterprise. In closing, you cannot protect yourself from an unknown or unmeasured risk and ignoring the needed actions will only accelerate your chances of exposing your organization to a loss, disclosure or breach of data. leadingageny.org 24