Data security refers to the controls implemented by a company to protect its data from unauthorized access and corruption. A good control environment around data security isn’t built on trust, it’s built on controls that are operating effectively allowing verification and adequate oversight.
The implementation of mature data security protocol and measures by which individuals or small to large companies do so are broad, complex, and dependent upon the sensitivity of the data and the industry. There is no single control that can adequately protect sensitive data alone, but rather a mix or combination of controls that when in place operate together in aggregate to protect sensitive data through multiple layers of control.
The following data security measures outlined below can help small to large companies protect their data throughout its lifecycle and many of these measures may also be adopted by individuals. These controls that offer a starting point for a data security audit checklist will be considered while conducting a system and organization controls (SOC) audit to ensure a strong foundation exists at the service organization.
Information Security Awareness Training
People can be one of your strongest links if they are adequately trained and up-to-date on the latest social engineering and phishing schemes, and are educated to be skeptical of suspicious emails, links, and attachments. Information security awareness training should be provided to newly hired employees and contractors as part of their onboarding. Additionally, information security awareness training should be provided to all employees and contractors annually. The training should be updated annually and include the latest social engineering and phishing schemes used by hackers.
For more information, read our article, Security Awareness Training: Information (IT) & Cyber Security.
Third-Party Vendors
Third-party vendors should be thoroughly vetted through the Request for Information (RFI) process to ensure they have strong security practices in place that meet or exceed your own. Keep in mind that if your data is breached on the vendor’s watch, you may still be held liable and your reputation tarnished. Include a service level agreement (SLA) within your master services agreement (MSA) and incorporate language around confidentiality or a non-disclosure agreement (NDA). If the third-party vendor has a SOC report, be sure to obtain the report and review it annually to ensure controls continue to operate effectively. Ensure that a right-to-audit clause is included within your agreement particularly if you cannot rely upon a SOC report.
For more tips on third-party vendors, read our article, What is a Third Party Administrator (TPA) Audit?.
Policy and Procedures
Information Security Policy and Procedures as well as an Incident Response Plan (IRP) should be documented and in place, communicated, and available to all employees across the company. The policy and procedures should set out management’s expectations around data security policy including roles and responsibilities and be reviewed and updated annually. The IRP should include procedures around the phases of incident response (preparation, identification, containment, eradication, recovery, and lessons learned). The IRP should be exercised at least once a year, either through response to an actual security incident or through response to a simulated incident. Lessons learned should be incorporated into the IRP that is reviewed and updated annually.
For more information, read our article, Information Security Policies: Why They Are Important To Your Organization.
Encryption
Data encryption offers strong data security protection by scrambling data so that it is unreadable unless you have the key to unscramble it. Data encryption should be implemented for sensitive data at rest and in transit and for all devices with sensitive data including laptops, mobile devices, USB drives, backup drives, etc. Full disk encryption encrypts all data on a disk or hard disk drive. PC’s have BitLocker and Mac’s have FileVault which are built-in encryption options that simply need to be activated.
For more information, read our article, Encryption – Keeping Your Data Safe.
Restrict Access
Access to sensitive data should be allowable based upon the principle of least privilege. Users should only have access granted to them for information and resources needed for them to perform their jobs. Information includes electronic as well as hardcopy data and resources include laptops, servers, mobile devices, etc. The owner of the information and resources should approve access prior to access being granted to the user. Periodic access reviews and IT asset inventory reconciliations should be performed (e.g., quarterly, annually) to ensure that access remains appropriate and IT asset inventory is adequately tracked through its lifecycle. Additionally, data masking may be implemented to restrict access to data to only those who need it.
Require Strong Passwords
The goal is to prevent hackers from cracking your password. Complex passwords should be required including passwords with at least 10 characters containing symbols, upper and lowercase letters, and numbers. Default passwords should be changed immediately and as a best practice, passwords should be changed quarterly. Time-outs should be set for a period of inactivity (e.g., 15 minutes) requiring the user to log back in. Multi-factor authentication (MFA) should be considered for access to sensitive data as an extra layer of security that, for example, requires a retinal scan or the user to enter a time sensitive code.
Install Antivirus/Anti-malware Software
Antivirus and anti-malware software protect systems from viruses and other malware that may access your systems with the intent to cause damage to your systems or gather sensitive data. Install antivirus/anti-malware software on your workstations and externally facing servers. Be sure to keep your antivirus and anti-malware software up-to-date so that it can optimally protect your systems from new viruses and malware.
Up-to-Date Patching
Keep your software and operating systems patching up-to-date on your workstations and servers. Software vendors release updates to their software to address security vulnerabilities when they become known. One of your best lines of defense is to keep your patching up-to-date to minimize the ability of hackers to exploit these known vulnerabilities.
Virtual Private Networks
Refrain from using public Wi-Fi networks while working remotely. Hackers who are sharing the public Wi-Fi you are using may hack into and monitor the data that you are transferring over the internet or upload malicious software to your computer. Virtual Private Networks (VPN) add an additional layer of security by running all your activity through a private network although you are using a public one.
Back-ups
Back-ups of your data should be routinely performed. In the event that your production data becomes corrupted or held for ransom, you will be able to resume operations with your back-up. Back-ups should be stored separately from your production data. Restore tests should be performed periodically on your back-ups to ensure that you will be able to reliably restore your data from the back-up successfully.
Physical Security
Physical security are the measures taken to secure physical access to your data and systems such as through utilization of keycard or brass key access, biometric access, video camera, and locking filing cabinets. Facilities should be secured at all times requiring visitors to sign in and be escorted while onsite. Doors that provide access to areas within the facility where data is stored or transmitted should be locked to prevent unauthorized access. If a mobile device has been lost or stolen, it is important to be able to remote wipe the device or transfer information to prevent unauthorized access to sensitive data.
Disposition of Assets
When it is time to dispose of sensitive data and IT assets, doing so in a proper manner will safeguard sensitive data. Shred paper documents with a crosscut shredder prior to recycling. For laptops and servers that are being decommissioned, ensure that all data is removed and cannot be recovered. If utilizing a third-party to dispose of assets, be sure to inventory each IT asset that is being disposed of and require certification from a reputable recycler that the IT asset has been wiped and is properly accounted for during the disposal process.
Data Security Summary
The primary objective of data security controls is to protect data from unauthorized access and corruption. Failure to adequately maintain data security may result in damage to your company’s reputation, substantial fines for noncompliance with laws and regulations, as well as potential financial loss should customers churn.
Data security is broad and complex in nature, however creating a combination of controls targeted to protect your data is paramount to your company and to your customers. Considering the implementation of the controls noted above will help you on your way to obtain data security SOC compliance.
If you would like to learn more about how Linford and Company can assist your organization in implementing data security best practices or other services such as FedRAMP, HITRUST, SOC 1 or SOC 2 audits, please contact us.
Becky McCarty has over 20 years of experience in internal controls, audit, and advisory services. She specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. Becky completed a Bachelor’s degree in Business Administration (Accounting) and a Master of Science degree in Management Information Systems. She worked 6 years with KPMG LLP commencing in 1999, worked several years in the energy industry, and joined Linford & Co., LLP in 2018. Becky also served 9 years on the Board of Directors for a home healthcare nonprofit. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC compliance efforts based on their objectives and/or applicable trust services criteria.