Through my experience with security assessments, it was most often policies that prevented the controls from being fully implemented. Documentation, like policies, that focuses on protecting personal information from unauthorized access, use, or disclosure can assist with addressing any gaps in security plans.
Policy sets expectations clearly.
Policy addresses how data is collected, used, and protected. Stakeholders, users, and employees can be made aware of the security risks through review and acknowledgement of these policies.
What should be the first policies?
Organizations need to begin with general policies that address privacy, data retention, and access control. Guidelines that state how data is to be collected, used, and protected as well as how long the data should be kept will provide a basis to build other policies.
Topics include:
- Encryption to protect data in transit and at rest
- Limiting access to authorized personnel
- Using role-based access controls
- Implement multi-factor authentication (MFA)
- Set standards around user passwords
- Remove or obscure personally identifiable information (PII) to reduce risk of exposure
- Data minimization to collect only necessary information for a specific purpose
- Data retention
Training and Awareness
Through documenting policies, organizations can further define and create a training and awareness program to educate employees on data privacy policies, security best practices, and the importance of protecting personal information. These policies, along with any training, regularly remind employees of their responsibilities regarding data privacy and security.
Response Procedures
A breach notification policy is needed to ensure notification to affected individuals and regulatory authorities in the event of a data breach. Along with policies, procedures would need to be developed. Among these would be an incident response plan for responding to data breaches and other security incidents.
Hyper Writer 