Your Employees and Information Security
description
Transcript of Your Employees and Information Security
Your Employees and Information Security
What every company needs to know about preventing inside security breaches.
Insider Breaches – Be concerned• 85% of US organizations
have experienced at least one data breach in the last 12 months
• Companies experiencing more than 5 data breaches in one year rose from 13% (2008) to 22% (2009)
• Consider who has access to sensitive information in your organization
Reduce the threat• Engage your employees – they are essential to your company’s
success• Create a total security culture • Implement secure document management and destruction as a
preventative measure against information security breaches
Engage your employees• They need to understand
your security policies and procedures
• They must be committed to implementing them correctly
• They are the key to an organizational culture of total security
Engaged employees keep information secure• Protect documents from the moment they are created until the
time they are no longer needed• Eliminate security risks at the source• Permanently secure the entire document lifecycle• Develop strategic integrated and long-term approaches
Employee Best PracticesTrain your staff in document destruction policies and bestpractices: • Offer training courses, in general security or specifically deal
with secure document destruction• Best practices:
• Shred all – to avoid the risks of human error or poor judgment• Shred regularly – to deter the accumulation of confidential paper waste• Shred securely – to ensure the chain of custody meets your compliance
requirements• Shred before recycling – to avoid risks once confidential paper waste is at
the recycler
Eliminate risks at the source• Implement a “shred all” policy• A “shred all” policy will make sure that all documents are fully
and securely destroyed on a regular basis• Change from reducing to eliminating security loopholes
throughout the lifecycle of the document• Employees should be trained in the values of “destruction at
the source”
Employees and the Legislation• Your employees need to
know what legislation applies to your organization
• Information security is more than good business – it’s the law
• They should be aware of HIPAA, FACTA, NAID
HIPAA (Health Insurance Portability and Accountability Act of 1996)• Maintain reasonable and appropriate, safeguards to prevent
intentional or unintentional use or disclosure of protected health information
• Includes: patient medical records, patient logs, insurance, billing and other personally identifiable healthy information
• HIPAA compliant organizations must also designate a privacy officer and ensure all staff are trained and understand privacy issues
• “Shredding prior to disposal” is identified as an appropriate safeguard
FACTA (The Fair and Accurate Credit Transactions Act, 2003)• Provides new tools to help fight identity theft• Applies to any person or company that “maintains or otherwise
possesses consumer information or any compilation of consumer information, derived from consumer reports for a business purpose”
• Includes a specific rule regarding the proper disposal of consumer report information and records
NAID (National Association for Information Destruction)• Certification Program establishes stringent security standards
for a secure destruction process: • operational security• employee hiring and screening• the destruction process • responsible disposal and insurance
• In multiple locations, each location must pass the audit to be certified.
• All Shred-it locations in the United States and Canada have received NAID Certification
Recycling is not enough• Loose paper is often left
unattended before it is recycled• Documents can be misplaced or
stolen• Paper can fall out of the truck
and onto the street• Shredding documents before
recycling serves the environment and keeps your confidential information confidential
Create a total security culture – Step 1• Look at what you are doing now• Identify all potential risks that
may threaten the security of your organization’s confidential information
• Examine the document workflow and lifecycle; analyze both electronic and paper-based sources
Create a total security culture – Step 2 • Create a comprehensive information security strategy• Develop security policies that are compliant with national
identity theft and privacy legislation• Restrict access to confidential data, in electronic and paper
form, based on specific business needs of specific categories of personnel
Create a total security culture – Step 3• Train your staff in secure document management and
destruction• Implement “shred-all” policies and “destruction at the source”
values• Build an organizational culture that values and respects
confidentiality and privacy