July, 2018,Posted by: V
Data Security - Who, Education & Training
This is the second of a series of articles on data security.
Very carefully and strategically list who should have direct access to the systems and the data.
Accessing sensitive data should only and only be on need basis. This list should be vetted carefully and recorded in the policies mentioned above.
Like anything else, the list needs to be reviewed and maintained on a very regular basis and sanitized as often as it can be, practically. Most importantly, any personnel leaving or being let go from the organization should be off of the white list and all electronic and physical access immediately blocked.
It is very important, no ego basher, but two ranks in any organization should never have direct access to sensitive data. The highest commanding ranks like CEO, COO, CFO etc. as well as the working entities like clerical staff, secretaries, office administration etc. No CEO, COO or even CIO actually directly accesses or needs to access this data. In almost all cases, the brass get their analytical statistical reports and charts which, though mostly company confidential, do not have any other sensitive, confidential or personal data.
There should be segregated and clearly identified groups of users who may have any access to anywhere on the network where sensitive data is stored, no exceptions.
Depending on the type of data itself different users may have access to different data sets.
The sensitivity of the data sets should be identified based on at least four different levels. Top-secret most damaging if compromised, classified but can still cause substantial damage if stolen or leaked, confidential that can cause reversible harm and finally public accessible.
EDUCATION & TRAINING
The very first process to implement the policies is to educate and train the personnel on the subject matter of data security. It is very important to educate and train all personnel, whether they access the sensitive data or not. It is crucial for all involved, including any external entities like vendors, consultants etc. to be educated on the policies, the sensitivity of the data as well as the cause and effect if this information is compromised.
Extensive, separate professional training should be provided to those user groups who have access to the identified sensitive data. Showing some videos or asking personnel to read some text is okay but not sufficient or the right way to train. In-person, training by professional services or experts is required. It is preferable to contract with external services or at the least an independent internal security department for these education classes and trainings. Document the attendance to be recorded, signatures and confirmation obtained and certifications provided to those who successfully complete the training sessions.
It helps to use specialized secure software like “Internal Compliance Management” with “Personnel & Training” module to document these type of education classes and trainings. Such a software helps generate automatic alerts based on rules previously decided and generate valuable statistical reports.
A personal certificate to every individual who participates, establishes a sense of achievement creating the elevated psyche making the person more responsible towards their duties. Some businesses opt to convey threats, warnings or scare, which actually generate resistance and potential loss of good workers or at least reduce their dedication to work.
Transparency in explanations that if the sensitive data is compromised, causing grave harm to the company which will affect everybody's future is the strongest message that can be conveyed. All personnel from the top to the bottom to consider themselves a part of the same team.