Four Solid Steps to Complying with Privacy Regulations

Step 1. Have a Security Policy.

Establish information security policies and practices to ensure the  uninterrupted security of information systems. For example, ask:
DO WE?

  • Have a written security plan that addresses all areas of our operations?

  • Have policies appropriate to our size and complexity, our activities, and the sensitivity of the customer information we handle?

  • Understand our security policy and the reasons for it - at all levels of our operation?

  • Have signed confidentiality agreements with all employees?

  • Continually review our policies and practices?

  • Spend enough money on security tools and staff to do the job right?

  • Use outside specialists to review our security system, perform risk assessments and audits, and help with compliance?

  • Have liability insurance to cover possible security breaches?

  • Have a data recovery plan in case of a natural disaster? Do we test it periodically?

  • Have a plan that outlines how to deal with security incidents or information compromises?

  • Have a resolution system for disputes arising from security breaches or alleged misuse of personally identifiable information?

  • Report cyber attacks to law enforcement agencies?


Step 2. Train and Supervise for Security.

Institute vigorous training and oversight of your designated security team. But don’t stop there. Any other employee or contract worker with even occasional access to personally identifiable information must be trained and supervised. For example, ask:
DO WE?

  • Have a full-time, designated team to develop and implement information security throughout our organization?

  • Does it have the resources and support it needs to do the job right?

  • Have effective and up-to-date training tools?

  • Conduct regular security audits and response exercises?

  • Rank data by level of sensitivity and assign access rights accordingly?

  • Conduct background checks on new hires who have access to medical, financial and other forms of sensitive data?

  • Review security policies and responsibilities with new hires and periodically thereafter?

  • Keep records of information accessed and regularly monitor those records for unusual activity?

  • Adjust security passwords and other protocols promptly when employees leave?

  • Make all employees aware of the penalties for security breaches?

Step 3. Use Available Technology to Guard Personal Data.

Written policies and training go far, but not far enough. Construct structural and technological walls to contain personal information and run tests to ensure that the system works. Make contingency plans. For example, ask:
DO WE?

  • Define our security needs and use technology that meets those needs, point by point, specification by specification?

  • Include layers of complementary solutions to prevent and detect unauthorized use of information systems?

  • Use the latest, updated virus protection?

  • Respond quickly to security “alerts” from software vendors?

  • Erect firewalls to safeguard personally identifiable information?

  • Combine numbers and symbols in passwords and change them regularly?

  • Use authentication or biometric measures, if appropriate, to verify user identity?

  • Grant access to personal data only after the user’s identity has been positively authenticated?

  • Test security for data in transit or in storage against pre-set specifications?

  • Do we require software providers to pre-test software before release?

  • Review audit logs for evidence of intrusions?

  • Test for and correct known network and application vulnerabilities?

  • Have a backup system in place to recover lost data and ensure uninterrupted continuity of information security?

  • Have a system for “shredding” both paper and electronic data before dumping?

Step 4. Inform Data Suppliers and Business Partners of their Responsibilities to Meet Your Security Specifications.

The information chain is only as strong as its weakest link. Make sure that personal data in your care are “tagged” and “fenced” when they enter your database, while they’re in storage and once they leave. Permit no information transfers without informing business partners to meet your security standards. For example, ask:
DO WE?

  • Inform business partners of their responsibilities to meet specific security standards?

  • Ask potential business partners about their security practices before we share any information?

  • Enforce contracts by planting data “decoys” and monitoring information practices of business partners?

  • Consider security ramifications before sharing data with business partners?

  • Ensure that intended data use is clearly understood by all parties and fully meets ethical as well as technical guidelines?

  • Avoid unusual or suspicious list requests?

(310) 930-0066

Robert McKim, CIPP, CISA

rmckim@mre-ent.com

(310) 261-5298

Evelyn Schlaphoff

eschlaphoff@mre-ent.com

(310) 466-9118

Richard Krelstein

rkrelstein@mre-ent.com
 
 

 
 
         
Copyright 2004, MRE-ENT.com