Your Employees and Information Security

What every company needs to know about preventing inside security breaches.

Insider Breaches – Be concerned• 85% of US organizations

have experienced at least one data breach in the last 12 months

• Companies experiencing more than 5 data breaches in one year rose from 13% (2008) to 22% (2009)

• Consider who has access to sensitive information in your organization

Reduce the threat• Engage your employees – they are essential to your company’s

success• Create a total security culture • Implement secure document management and destruction as a

preventative measure against information security breaches

Engage your employees• They need to understand

your security policies and procedures

• They must be committed to implementing them correctly

• They are the key to an organizational culture of total security

Engaged employees keep information secure• Protect documents from the moment they are created until the

time they are no longer needed• Eliminate security risks at the source• Permanently secure the entire document lifecycle• Develop strategic integrated and long-term approaches

Employee Best PracticesTrain your staff in document destruction policies and bestpractices: • Offer training courses, in general security or specifically deal

with secure document destruction• Best practices:

• Shred all – to avoid the risks of human error or poor judgment• Shred regularly – to deter the accumulation of confidential paper waste• Shred securely – to ensure the chain of custody meets your compliance

requirements• Shred before recycling – to avoid risks once confidential paper waste is at

the recycler

Eliminate risks at the source• Implement a “shred all” policy• A “shred all” policy will make sure that all documents are fully

and securely destroyed on a regular basis• Change from reducing to eliminating security loopholes

throughout the lifecycle of the document• Employees should be trained in the values of “destruction at

the source”

Employees and the Legislation• Your employees need to

know what legislation applies to your organization

• Information security is more than good business – it’s the law

• They should be aware of HIPAA, FACTA, NAID

HIPAA (Health Insurance Portability and Accountability Act of 1996)• Maintain reasonable and appropriate, safeguards to prevent

intentional or unintentional use or disclosure of protected health information

• Includes: patient medical records, patient logs, insurance, billing and other personally identifiable healthy information

• HIPAA compliant organizations must also designate a privacy officer and ensure all staff are trained and understand privacy issues

• “Shredding prior to disposal” is identified as an appropriate safeguard

FACTA (The Fair and Accurate Credit Transactions Act, 2003)• Provides new tools to help fight identity theft• Applies to any person or company that “maintains or otherwise

possesses consumer information or any compilation of consumer information, derived from consumer reports for a business purpose”

• Includes a specific rule regarding the proper disposal of consumer report information and records

NAID (National Association for Information Destruction)• Certification Program establishes stringent security standards

for a secure destruction process: • operational security• employee hiring and screening• the destruction process • responsible disposal and insurance

• In multiple locations, each location must pass the audit to be certified.

• All Shred-it locations in the United States and Canada have received NAID Certification

Recycling is not enough• Loose paper is often left

unattended before it is recycled• Documents can be misplaced or

stolen• Paper can fall out of the truck

and onto the street• Shredding documents before

recycling serves the environment and keeps your confidential information confidential

Create a total security culture – Step 1• Look at what you are doing now• Identify all potential risks that

may threaten the security of your organization’s confidential information

• Examine the document workflow and lifecycle; analyze both electronic and paper-based sources

Create a total security culture – Step 2 • Create a comprehensive information security strategy• Develop security policies that are compliant with national

identity theft and privacy legislation• Restrict access to confidential data, in electronic and paper

form, based on specific business needs of specific categories of personnel

Create a total security culture – Step 3• Train your staff in secure document management and

destruction• Implement “shred-all” policies and “destruction at the source”

values• Build an organizational culture that values and respects

confidentiality and privacy