Thursday, December 03, 2009

Information Security Tip #2: Less is More

Protect your customers and employees by securing sensitive data in your possession. Keep only what you need for business:
  • Eliminate. If you don’t have a valid business reason to collect personal information, don’t collect or gather such information. Once you gather information it must be stored, archived, protected, and disposed. By not collecting the information, you save your organization a lot of unnecessary work. Review the forms you use to gather data (applications, fill in web site forms, etc.) and revise them to eliminate requests for information you don’t need.
  • Archive. Unless you have a legitimate business justification, don’t store and retain sensitive information. Keeping sensitive data longer than necessary creates an unwarranted risk for fraud.
  • Defaults. Sometimes the software you use is preset to store information permanently. Check your settings to make sure you’re not inadvertently keeping more than you need.
  • Compliance. Ensure your organization meets required compliance privacy and security requirements.
  • Retention. If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify what must be kept, how to secure it, how long to keep it, who’s authorized to access it, and how to dispose of it securely when you no longer need it.
Risk assessments help organizations identify, manage, and reduce their information risks.

Labels: , ,