business builder security
CIA applies when
protecting your,
customers’ data
by Kirk Hoaglund
If your firm is like mine, your small company works with a number of much larger companies.
Some of your customers are publicly traded or even Fortune 500. These customers have regulatory and compliance issues that do not and may never apply to your firm. Their responsibilities to protect information and affirm its accuracy have grown, recently.
There are two really good reasons why you should be thinking about this: You’d rather not be part of the problem, and some of the problems your large customers have are the same as your problems.
Protecting your valuable data and your customer’s data can be a complex subject, but you can think about it using the security professional’s standard acronym: CIA. CIA, in this case, stands for Confidentiality, Integrity and Availability.
Confidentiality: If you have at least one employee, you have confidentiality requirements. Your employment records, payroll records, and, especially, benefit records are confidential information. Many elements of this information are protected by law and it is just a good idea to keep this sort of stuff private.
Your customers also provide you with data. You probably know things about each of them that should not become public knowledge. Sometimes even the fact that you have a relationship with a particular company is considered a private fact.
As important as it is to hold this information confidential, it is just as important to be able to demonstrate that you can and do hold these kinds of data confidential. This is an important distinction to keep in mind as you read on.
Integrity: Maintaining the integrity of electronic records is one of the major cornerstones of the Sarbanes-Oxley Act of 2002. If you haven’t already heard about “SOX” from any of your larger clients, you soon will.
SOX requirements apply directly only to certain classes of publicly traded firms, but some of those companies are your customers. So you need to know about it.
In the course of doing business you accumulate lots of pieces of data that help you run your business: your accounting books, receipts, invoices, contracts, payments and plenty more. Regardless of the size of your enterprise, more than one person touches each of these pieces of information.
Data maintains its integrity when you are able to track each touch and know how and why it happened. If the data changed as a result, you know the how-and-why of the change as well.
Availability: The simplest information security mechanism is to immediately lock up every piece of data when it appears, then throw away the key. No one will see it, so it is confidential. No one can change it, so it maintains its integrity. But, obviously, what’s the point? The right people must have the right access under the right circumstances.
Just as in confidentiality and integrity, one of the most important factors in managing availability is to know how and when the information is available and who and when it was accessed. Trusting your systems is a good thing, but being able to show that they work is even better.
So what do you do?
Don’t panic. There are things you can do right now that go a long way to improve CIA for your information and that entrusted to you by your very important customers:
Communicate. Let everyone on your staff know that CIA is very important and that your firm is committed to the policies and procedures that keep your data safe. This is the first and most important step. Without it, the rest will not work.
Don’t write this down
Use what you already have. Your computing systems are protected by user names and passwords. Use them. Don’t write down passwords. Don’t write down user names. Do not send an e-mail containing either. As soon as you finish reading this paragraph announce that all passwords in your company must be changed by tomorrow. Then change them again every month or two.
Be smart about it. If you allow two people to share a user name or password, stop it right now. While that might seem an easy solution to the availability issue, it kills integrity and confidentiality. If someone does not need access to a resource or piece of information, don’t grant it. Resist the temptation to simply allow everyone access to everything. And make sure you know who can do what.
Back it up. Information has no integrity if it is gone. Make and keep backup copies — but do it carefully. If you have a backup copy of secure data, the backup must be at least as secure. Access to the backup should be controlled and monitored with at least as much care as to the original. And be absolutely sure (by testing, testing, testing) that your backup procedure actually works and that you can restore missing information.
Find your weak spots. Do you have a deadbolt on the front door and a screen door on the back? As you’ve grown over the past few years have you left a computer or two sitting unprotected in “the back room?” Do you have employees who take computers home? It is worth your time to find out if someone knows the location and status of every piece of computing equipment that you have. Once you’ve gathered that data, keep it up to date. Oh, and be sure that this new data is controlled and secure.
Change access codes
Make sure that you’ve disabled the accounts and access for any employee who has left your company. Do they know the access code for the garage door? Change it. Were they listed on the “qualified contact” lists with any of your vendors or clients? Find out right away.
Get a security assessment. Find a qualified assessor to review your IT systems, policies and procedures. Most reputable firms will do a quick assessment for free. If the free assessment shows up a few problems, pay for that next level of review. It is well worth the money. Then you can decide what to do about any real problems.
As your customers become more concerned with privacy and security, you need to stay in step. Much of what they are dealing with are good things for you to think about within your own company as well.
While Sarbanes-Oxley, HIPAA, and related “big company problems” don’t affect you directly, they are important to keep in mind. And much of what these regulations seek in privacy and security are good things to do anyway.
Apply the principles of CIA to your data and let your customers know that you’ll always do the same with theirs.
[contact] Kirk Hoaglund is CEO of Clientek, a technology consulting firm in Minneapolis: 612.379.1440, ext. 101; kirk.hoaglund@clientek.com; www.clientek.com
