Tips for developing a data security policy

With GDPR on the horizon, now is a good time to review your data security policy. The first step is to take a holistic look at your entire infrastructure, from how data is created or acquired to how it is valued, stored, accessed and disposed of. This includes data coming in from customers, partners and suppliers; data created within the organisation, such as presentations and reports; and data that goes out, such as invoices and proposals.

The key to an effective data security policy, however, is not data but people. No security controls and processes will be effective unless all employees adhere to them. This means defining a clear security policy and obtaining employee buy-in and commitment. The policy should be enforceable, realistic, acceptable to users and should not violate personal privacy laws.

User education is essential, which means training everyone in your organisation – including senior management – about different types of threats and how to prevent them. You should make sure that they know exactly what to do and who to contact should the worst happen. They need to feel able to ask for help if they think they’ve mistakenly clicked on something malicious, rather than burying their head in the sand and hoping for the best.

Some of your policies may be unpopular, such as disabling the use of USBs or other mobile storage devices. To obtain user commitment you need to explain why they’re needed and make sure that secure alternatives are available.

It’s also vital to obtain commitment at the top of the organisation. Security policy needs board level commitment and HR support before implementation, executive sponsorship during implementation and HR defined penalties for policy violations. These penalties should be equally applicable at all levels of the organisation.

Finally, you need commitment from the various data owners in your organisation, as they should be responsible for managing and keeping their data safe once the security solutions have been implemented. They can use Data Lifecycle Protection (DLP) tools, for example, to enforce policy and reporting requirements appropriate to their needs. Typically the security problems we see occur where users are allowed to store data on their own machines. Data owners should also be given responsibility for ensuring that data is consolidated in a central network location, as DLP works best when data is organised and structured.

To develop a comprehensive data security strategy we recommend a four step process:

1. Work out and define what level of security controls your organisation requires. You will almost certainly need a policy and some controls. You need to ensure that these controls and enforcement are commensurate with the value of the data being protected and the level of risk.
2. Assess the organisation’s data management strategy. Through assessment and gap analysis of current storage infrastructure, data management tools, processes and service delivery objectives, a long term data management strategy can be rationalised with other strategic data centre initiatives.
3. Review IT governance. Examine IT management processes, regulatory culture and best practice in terms of data value and security.
4. Develop a business continuity and disaster recovery strategy. Review the existing business continuance and disaster recovery strategies and update them as appropriate to ensure that ensure true data protection and security are maintained.

Find out more about Fordway's Cloud Services