Protecting information as much as we protect ourselves from physical threats offers a long term advantage in terms of keeping you or an organization from negative impressions and securing continued success. The Federal Trade Commission has set a crucial five-step principle in ensuring the protection of sensitive information.
1. Take stock – you have to know what you have and account them accordingly to make it easy to identify what was lost. Making an inventory of all computer hardware from the computer units down to the last item with data capacity has to be logged including type and location. In this way it would be easier to point out where the sensitive information might be stored. Tracking down of who, what, when and why the information was utilized will also help in determining where the problem will potentially arise.
2. Scale down – Delete the obsolete and keep only what’s important. Using sensitive information only when needed will help you control the utilization of such information. A written log or records should be kept in case there is a need for information retention; in under no circumstances that pertinent information such as customer’s credit card should be kept on file without the user’s permission, otherwise the system should not have the reason to keep it.
3. Lock it – Once important information are kept, the next step is to keep them out of sight. The aid of physical security is necessary, any hard copies in paper or other devices must be kept locked and isolated in specific location and accessibility those copies should be set according to purposes. Access control is important as well as security habits that should be practiced by everyone in the organization by means of logging off computers and locking the office at the end of the business day. For electronic security, encrypting, password management, connection identification and use only secure connections.
4. Pitch it – Proper disposal of the information no longer in use. Formulating and implementing effective disposal practices within the organization is appropriate in ensuring restricted access to sensitive information. Printed materials of no use should be destroyed beyond repair. In terms of stored data, the use of wiping tools will ensure that no important information is left in computers to be disposed. Consumer data should be disposed in compliance to FTC’s Disposing of Consumer Report Information rules.
5. Plan ahead – Prevention is better than cure, but in worst case scenario there should be a contingency plan ready to be initiated to minimize damages. A designation of trusted personnel will make it easier to implement response actions. Disconnecting a compromised computer from the network connection will also cut the risk of further intrusion to be followed by investigation and notifying the concerned parties. There are three good reasons why planning ahead is important:
a. Planning renders a logic and immediate response to minimize damages
b. It generally reduces the impacts of any attacks to the overall business operations
c. Planning ensures stronger security augmentation, which implies credibility and strengthens the organization’s reputation as trustworthy.
