Your data and your customer data must be protected and in such a manner that even a breach in an area is not making it easy for the criminal to get the last link and thus the whole database. Losing a portion of customer data is bad, but losing all of it is much worse.
So just like we have a layered defense in our network a layered defense of the database is essential.
Before we discuss technical details it is good to lay out how we intend to use the customer and employee data.
Because the technical people should look at a document that says how you will use data so that customers, vendors, and employees know what is happening(or supposed to happen).
Also knowing what to do when there is a failure is important.
So we need to answer the following:
- Where is the data?
- Who has data?
- Why is data kept?
- What data is kept?
- How is data kept is a technical issue, and should be answered if encryption is answered.
- When will data be kept til? Forever? or is there a time lapse?
- How much data will be kept? (similar to what?) but can clarify the amount and size.
The new data privacy compliance law in the EU is GDPR(General Data protection regulation) and we have discussed this before at “Can European Regulation Help You Design Data Privacy”
In the us there are NIST(National Institute of Standards & Technology) standards – specifically 800-171. Which this company (Imprimis) has a video and discusses the complete process to go through to get yourself compliant for government oversight/ contracts.
The interesting slide is the next one that discusses the continuous compliance state one must build into any program
continuous monitoring, training and improvements must be done while performing quarterly periodic scans, and annual assessments.
We have discussed periodic scans before: our recon scan and vulnerability assessments
NIST 800-171 is the defacto standard of the US government and all of the contractors, sub-contractors, and anyone who is handling classified or CUI(Controlled Unclassified Information) data. there are 110 items that one has to write an assessment on. So if your data is classified/unclassified one has a framework to work in.
PCI Payment card industry has a new version out (as of May 2018) Summary of changes link
basically this latest compliance update is just a confirmation of TLS v1.1 or higher and some errata fixes. Our post: Internet insecure without TLS
So although everyone has different data to place in the Who, What, When, Why, Where, and how/how much we need to review and constantly improve our data storage and redemption states.
Contact Us to review this.