| 50 Ways to Ensure Privacy
The need for business to protect data maintained
for clients and employees should rank higher than the need to protect company operational
data and / or business secrets.
Individual and business clients demand that data
not be shared either intentionally or accidentally. Indeed, business is required to follow
the Personal Information and Electronic Documents Act (PIPEDA) that came into full
implementation January 1, 2004.
The best security starts with policies and
procedures communicated to all employees. Instilling a sense of the importance of security
issues into the corporate culture is important not just because security is the law but
also because it is good business and recognized as important by all stakeholders. No
matter what rules, regulations, or physical attributes may be built into a system, the
human element always remains the weakest link.
Your company should review and implement four
areas: physical security, data management, staff involvement and management concerns.
Physical Security
1. Provide
shredders to each office employee. Ensure all draft data, temporary file-disc backup,
handwritten notes, envelopes, etc., are shredded before the staff member leaves each day.
2. All
historical files should be secured under lock and key.
3. All
historical data, whether for the business or clients, should be shredded on a regular
basis by a bonded company. All hard drives and other forms of electronic storage should be
erased with a write-over program and destroyed.
4. All
laptops, disk, and hardcopy files should be signed in and out by the user with the date,
time, and user's name.
5. An
information coordinator should maintain a detailed record of all equipment provided to
personnel. Equipment should be checked regularly to ensure users have not added new
hardware or software that may be used to the company's detriment.
6. Servers
should be maintained in an area separated from any work stations. Consideration should be
given to a key-plus security code, or a biometric registration.
7. Information
leaving the office, whether hardcopy or electronic, should be provided with a security
lock or password and placed in the trunk of the employee's vehicle.
8. If
staff is staying at a hotel, consider placing sensitive data in the hotel safe. When and
where possible, download encrypted data from the main server before the meeting to
eliminate the need to carry the data.
9. Establish
visitor protocols. At owner-managed venues, all visitors must either be accompanied by a
known employee or should be refused access beyond reception.
10. Laptops and easily moved workstations should
be physically secured to lessen the possibility of theft.
11. Workspaces
in offices should be configured to prevent access to hardware and defeat the possibility
of computer screens being read or photographed by strangers.
12. Determine
whether contracts, agreements, patents, formulas, trade secrets and the like should be
stored off premise.
13. Administration
areas containing company, employee, or client data, agreements, permanent records,
business numbers, bank numbers, etc., should be considered off limits to all except
authorized management and employees.
Data Management
14. Purge
client files of all data not essential to the current project.
15. Do
not allow historical data to transfer with current project files. There is little need to
have the entire client history at the desktop or transferred to a laptop.
16. Proprietary
information should be identified and provided on a need-to-know basis.
17. All
data should be maintained on a central server.
18. All
data on the central server should be segregated and classified according to user-based
security permissions. For example, contracts, settlements, formulas, or historical data
required by regulatory or taxation authorities but also needed for current use should be
filed separately at the highest clearance level before being copied to an ancillary device
whether a laptop or a flash drive.
19. All
data released should be handled by a single coordinator to ensure the continuity of the
information trail.
20. Updated
files to be reentered into the central server for archival purposes should be handled by a
single coordinator, who should ensure the data is scanned for viruses before downloading.
21. If
the server is accessible remotely outside the LAN, data transmitted outside the company
network should be encrypted.
22. All
computers, whether desktops or laptops, should be equipped with a master password to allow
the key administrator to manage the equipment.
23. A
policy should be established to determine whether each client document requires a password
or only client files should be encoded. Consider, for example, that it may be possible to
protect a spreadsheet but not a word document.
24. Consideration
should be given to the practicality of password protection on all documents. Care must be
taken to ensure that necessary information does not become irretrievable because a key
individual leaves and no one else knows the password.
25. All
computers should be scanned for viruses on a regular basis. If a virus is discovered, the
source should be found and corrective measures taken to avoid subsequent infection.
26. Individual
records should be maintained for all assigned email accounts, computer system-access
codes, PDAs, flash drives and communication devices to augment security measures should a
person quit or be fired, die, or lose any company device.
27. Ensure
that the latest program updates for operating systems and security programs are installed
where required. Do not use pirated software. Maintain a log detailing the program,
software version or number, the update date and the hardware the update was installed
upon.
28. All
wireless data transmitted should be encrypted. Ensure that the appropriate network keys
are in place to ensure your wireless transmissions cannot be intercepted outside the
office.
29. Develop
a policy to identify documentation that cannot be communicated over the Internet or by
open communication such as a cell phone. Consider, for example, transmission of employee
names and SINs as a serious breach.
Staff Involvement
30. Employers
should provide in-house courses on the need for confidentiality, company policy, and
expected protocol in the event hardware or data is lost.
31. All
employees should receive documentation detailing the need for confidentiality. Such
documentation should provide guidelines indicating areas off limits, document types not to
leave the office, requirements for coordinating passwords with the IT department, etc.
32. Discussions
concerning company business or clients must be handled discretely. Conversations about
business matters in restaurants or while travelling on public transportation are a sure
means of breaching confidentiality.
33. There
are no circumstances in which company data, operating systems, or client data should ever
be loaded to non-sanctioned hardware such as personal computers, client computers, or
flash memory.
34. Staff
should be told not to download from the Internet, transfer, cut and paste, import
freeware, make modifications to or update existing software on any company property
without the written permission of the assigned administrator. (This would include
operating program updates.)
35. Register
the serial number, the configuration details and the date of assignment of all equipment
on an employee-equipment voucher. The voucher should indicate that the equipment and
software is the property of the company and that the employee understands and agrees to
return all equipment, software and information upon termination, resignation, sick leave
or death.
36. The
loss of any equipment must be reported immediately so the extent and importance of the
loss can be determined and any remedial action must be taken, such as calling clients,
suppliers, police or company lawyers.
37. Employees
should always carry sensitive data on their person whether they travel by plane, train or
bus. Never entrust it to cargo.
38. When
transported in public, equipment must never be left unguarded. Laptops might be stolen;
sensitive data may be downloaded to flash memory without the employee's knowledge.
39. All
data gathered while out of the office should be backed up at the end of a session.
Whenever possible, the day's session should be transmitted to the head-office server. The
backup medium must be carried separately from the laptop.
40. All
company personnel should be provided with locking cabinets and instructed to store all
files at the end of a work day.
Management Concerns
41. Management should learn the principles of
records management to understand how to track files from the date of inception to the
scheduled date of destruction. These procedures reduce the risk of improperly storing and
destroying files and the cost of storage. Regulatory and taxation record requirements
especially should be reviewed and documented.
42. Employees
entrusted with sensitive data should be subjected to background checks.
43. All
clients of a former key employee, sales person or advisor should immediately be informed
that a new account representative has been assigned.
44. Confidentiality
agreements must be signed by employees annually.
45. Legal
advice should be obtained to determine whether employment contracts should include
"breach of confidentiality" as grounds for dismissal.
46. Management
must maintain ultimate control and security of all passwords. All changes made by the
information coordinator must be reviewed, approved and maintained by management.
47. Employees,
regardless of position, should not be allowed access to any office equipment if they have
been dismissed, quit, transferred or are on extended medical leave.
48. Procedures
for recovering equipment, changing passwords, and escorting disgruntled or dismissed
employees from the premises must be written out and followed to the letter to avoid loss,
theft or corruption of data and hardware.
49. Provide
adequate budget to maintain the most up-to-date operating and security systems and train
staff to implement and monitor data security.
50. Audit
the mandated security measures regularly. Document any issues discovered, and discuss
proposed changes with the appropriate personnel.
Data security is everyone's business. Owner
managers who are also directors of their companies may be held accountable if it can be
demonstrated that appropriate procedures were not in place to reduce the possibility of
privacy breaches. Now is the time to review your privacy policy and procedures to be
assured your business could not be found negligent through failure to live up to a
commitment of confidentiality.
|
