In the past few years, theft of personal information has become more common, prompting regulators to crack down on the security required for businesses in the United States. The Federal Trade Commission developed a list of best practices for businesses to become federally compliant. These practices help protect consumer information, known as Personally Identifiable Information (PII), as well as provide guidelines to becoming compliant with federal regulations.
1. Strengthen your password requirements for all employees. It’s easier than you think to hack passwords. Creating a set of guidelines will make it harder for passwords to be hacked. Consider the following as part of your password requirements:
- Maximum Age – Passwords should expire every 60-90 days
- Complexity – Require a combination of letters, numbers, and symbols
- Length – Passwords should be a minimum of 8 characters. Encourage the use of password lengths between 12 and 15 characters.
- History – Use password history settings to ensure a new password must be created at least 24 times before an old one can be reused
- Minimum Age – The minimum age of a password should be set for at least 1 day to limit the potential of users cycling through their history in order to reuse a password
Utilizing such guidelines will make it more difficult for anyone to hack into your network or information.
2. Restrict access to specific folders or files. Not everyone in your organization needs access to everything. Restrict access to specific folders or files to only users who truly need them. This minimizes the potential for sensitive or confidential information to be released.
3. Encrypt your email. There are many secure email solutions available to companies. Consider using password-protected message add-ons to ensure only the intended recipient accesses your confidential or very sensitive emails.
4. Create a Disaster Recovery Plan. A Disaster Recovery (DR) Plan is essential for every organization. Developed by key leaders of an organization, a DR plan provides specific direction for protection and recovery of your data. The Disaster Recovery Plan should be reviewed frequently and made available to every employee.
5. Review your security policies and discuss them in training sessions with all employees. All employees should receive a copy of the company Security Policies document as well as all subsequent updates. Educating employees on the importance of security and the legal and financial implications that may occur will mitigate the risk of data breaches.
A Security Risk Assessment (SRA) is performed to determine how secure a network truly is. The SRA helps organizations assess, identify and modify their existing security structure. Once an SRA is completed, the organization has a clear understanding of their risk and likelihood of PII breaches. Regulators have recognized the value of an SRA, and see it as a requirement for any business that has access to personal information.
Although regulations do not instruct organizations on how to control or secure their systems, they do require that those systems and that information be secure in some way. Each organization must be able to prove to independent auditors that a secure and controlled infrastructure is in place. With over 20 years of experience, we can help you become compliant by performing an SRA for your business. Contact us today for more information on Security Risk Assessments.