IT Best Practices

Best Practices for Maintaining Data Security


No matter what business you’re in, protecting your data from threats and accidental compromises is a critical concern. Several recent high-profile incidents have exposed just how vulnerable retailers, educational facilities, government contractors and other organizations are.

According to Forbes Magazine, corporate network security is an over $60 billion industry. However, before you invest in the latest expensive technology, it’s important to plan properly. This will help you make the most of your budget without compromising the level of protection your intellectual property, customers’ private data and other valuable assets receive.

Here are some of our best practices for maintaining data security in a business environment.

1. Standardize:

Together, ISO 27001 and ISO 27002 represent the most comprehensive set of best practices for data security in a business environment. Implementing ISO 27001 or ISO 27002 controls is the easiest way to keep your corporate data safe on an ongoing basis. Many of the following tips are drawn directly from ISO guidelines.

2. PDCA:

Plan-do-check-act (PDCA) protocol is the cornerstone of ISO 27001 standards. Working towards ISO 27001 certification is a worthy goal for any facility. Even if your organization doesn’t require certification, PDCA is an important litmus test for any data security policy. Make sure you have protocol in place to plan your security processes ahead of time, dothe difficult work of integrating these processes, check that they are being followed and act quickly in cases of non-compliance.

3. Auditing:

Regular auditing of your security practices will ensure business rules are being implemented properly by all team members. ISO27001 and ISO27002 mandate that a third party audit be carried out every 12 months. Regular internal auditing on a quarterly or monthly basis is also recommended — frequent or ongoing audits will ensure that both letters and the spirit of your security policies are being fulfilled on a daily basis.

4. Identifying Assets:

Identifying your assets is the first step to developing an advanced security posture. Not coincidently, it is also one of the first steps in an ISO 27001 or ISO 27002 security audit. Begin by making a list of all hardware, software, media, data and applications that contain sensitive data. Assign a location and ownership to each one, and ensure that each owner is aware of their responsibilities. To simplify things, assets can be graded according to their priority level.

5. Hiring:

Over half of all security breaches are caused by insiders rather than malware or web-based attacks. Either through negligence or deliberate sabotage, your employees are the greatest risk to your data. Policies should be in place to minimize the risk of data loss, both by properly screening applicants and ensuring that appropriate responsibilities are set at the contractual level.

6. Back-up:

Requirements for backing up data vary according to industry. Most IT security professionals recommend daily back up of all files that have changed in the past 24 hours, followed by a complete backup on a weekly basis. Data should also be regularly archived for long-term storage.

7. Access Control:

Part of identifying and prioritizing your security assets involves assigning and maintaining access levels among staff. Creating a consolidated list of password and storing it in an encrypted location is an excellent way to begin this process.

8. Physical Security:

Physical security involves not only barrier protection limiting access to sensitive resources by unauthorized personnel, but it also involves keeping critical servers, workstations and cables protected from damage by floods, earthquakes, fires, theft, etc.

9. Encryption:

ISO 27002 standards dictate that a company-wide encryption policy is designed and implemented, covering standards and responsibilities for digital signatures, keys, certificates and any other encryption tools.

10. Real Time Monitoring:

Threats against your network are constantly evolving. The best way to maintain a vigilant security posture is by implementing SIEM tools that keep track of logged data and correlate information from different sources, indentifying malicious behavior and giving your IT team tools/data to respond to emerging threats.

11. Log Collection:

To simplify the auditing process, it is recommended that policies are put in place for the collection and long-term storage of log and report data. This will allow you to keep track of your security posture over time and can aid in future forensic investigations.

12. Scalability:

Scalable security solutions grow with your business, making it easy to add users, expand your security coverage or implement new procedures, protocol and business rules. When choosing SIEM software and other logging/data safety appliances, go with a product that will be easily expandable to meet your future needs.

Additional Best Practices

ISO 27001 and 27002 provide excellent guidelines for big picture security planning. While policies and planning are essential for developing security strategies, there are plenty of day-to-day risks your sensitive information faces.

Here are a few other suggestions for managing your data security on the user level.

13. Manage Removable Media Devices:

Flash drives and other removable media devices can easily lead to a breach of sensitive information, whether it’s by the accidental loss of an important device, or by malicious users sneaking information out of your compound. If possible, implement company-wide policies that restrict or limit the use of removable media devices.

14. Manage Mobile Devices:

mobile device management is an important area of concern as more and more organizations move to BYOD (bring your own device) policies. Implementing lost-phone policies, restricting the use of third party apps and enabling remote swiping of data are all important requirements for a secure BYOD workplace.

15. Remove Data Securely:

Remember that extremely sensitive data can still be recovered, even when deleted from workstation. Investing in secure wiping utilities is useful, and make sure old equipment is thoroughly destroyed/de-magnetized to prevent data from being recovered.

16. Keep software up to date:

External threats against your network are constantly evolving. Keeping your IT resources updated, such as antivirus programs and other security software, will reduce the likelihood of breaches and better prepare your team to respond to threats.