AP Fundamentals: The Need for an Effective Data Security Policy

While technology has helped revolutionize the retail industry, with it has come new risks. There are many internal and external security threats that put a company’s data and data systems at risk on a daily basis. As a result, the need to develop internal information security programs and an effective data security policy as part of general operations has become paramount to implement protections against these threats.

“Information security” can carry different meanings for different people and depending on your position in the company and specific area of responsibility, definitions and objectives can vary substantially. However, a common thread exists—the ultimate goal is still to protect the security, confidentiality, integrity, quality, and availability of a company’s information assets. The need for a data security policy is the foundation of any information security program. This policy will be comprised of a set of rules which govern the acceptable use of technical resources, security practices, and operational procedures within the company and the supporting technological environment.

There are many components which make up a strong data security policy, but the most critical are that:

1) Corporate management supports the policy; and
2) The policy aligns information security with the core objectives of the business.

There must be unwavering support by the leaders at the highest level of the organization for a data security policy to weave itself into the day-to-day operations of the business, and this will only happen if the policy reflects our core business objectives. That policy must be drafted with the primary motive to support the business, while providing adequate standards and controls that safeguard the business and our customers at the same time. Some common subject areas typically found in a data security policy could include, but are not limited to:

• Employee/Management Roles and Responsibilities
• Guidelines for Acceptable and Unacceptable Use of Company Resources (i.e. Internet and Email)
• Acceptable Use of Company Software and Hardware
• Non-Compliance Issues
• Incident Management
• Remote Access and Mobile Computing
• Information Classification Guidelines
• User ID and Password Standards and Management
• Physical Security
• Data Archiving (how often each user should copy information to an archive file) and Backup Requirements
• A framework and foundation for governance

Each subject will highlight employee expectations and will typically include the “do’s” and “don’ts” of information security. Such policies will also set a minimum standard for what controls are to be in place and what practices are required to maintain computing systems (For example, a mobile computing policy might state “Anti-virus software must be installed on all company workstations and servers used for revenue-generating purposes.”). Policy statements can also be used to define acceptable and unacceptable behaviors (For example, “Employees are not permitted to use company systems to download or email objectionable content, such as jokes, chain letters, pornographic materials or other specific file types that are more susceptible to viruses and malicious programs”). The need for a data security policy essentially helps a company limit its risk and propagates positive behaviors which contribute to a safer, more secure computing environment for employees to work and conduct their daily business.

It is important to set some time aside and familiarize yourself with your company’s data security policy. While these policies are becoming more commonplace, practices and policies as well as the method of delivery may vary from company to company. You may believe that you are following data security best practices in your daily activities. However, you may also be surprised to learn that there are some important data security policy responsibilities that you may not have been familiar with.

Good Practices in Daily Activities

Protecting the data that we work with every day requires persistent awareness. As loss prevention professionals, we are exposed to a vast array of sensitive information every single day. In addition to investigative data and other case-sensitive information, we often have access to financial data, confidential records, personnel files, sensitive statistical data, contracts, research information and a host of other vital company assets. Every piece of data that we access must be perceived as important and considered a valuable asset, and we must always remain concerned about the safety and integrity of that data.

The corporate world has been hit by a wave of security issues in recent years, exposing severe weaknesses in the strategic practices of the business community to deal with the protection of information assets. Organizations of all sizes can fall victim to what amounts to poor security planning, improperly handling data and exposing their entire company assets to potential breaches. Each of us ultimately represents a link in the security chain, carrying a critical responsibility to maintain the safety and integrity of this information. Safeguarding sensitive data is more than good business, it is a professional responsibility.

A sound data security plan is built on several key principles. First of all, take stock in what you have—know what information that you have access to in your files and on your computer. Second, maintain access only to the information that you need. Limit exposures by managing accessibility (for example, store sensitive information on a company server or other secure location and not on your laptop), and properly secure or dispose of what you no longer need. Next, keep information in your care locked down and protected by controlling access to the “front door;” monitoring and restricting access to your equipment. Finally, plan ahead. Have a plan to respond to security incidents in the event that they do occur. Knowing how to react and respond will help to limit our exposures and minimize potential risks and damage.

Other security tips that we should follow on a daily basis might include but are not limited to:

• Keep operating systems updated as necessary and appropriate. The newest version of any operating system is generally the safest. Protect systems by downloading the latest security updates to limit vulnerabilities.
• Backup your important data on a regular basis, and store it in a separate location to minimize risks of data being lost. Any data that hasn’t been backed up is at risk. Audit data storage by conducting trial restores from time to time to ensure that the data is actually being backed up.
• Install firewalls on computer systems. A firewall is a combination of software and/or hardware that provides a protective barrier between a computer or computer network and the public Internet. It essentially protects your online gateway and blocks unauthorized access to your computer or computer network.
• Use anti-virus software on computers. A computer virus is a program designed to copy itself into other programs stored in a computer, infecting and potentially damaging the files that receive it. Some viruses are mild, while others are very destructive and can wipe out a computer’s memory or even cause more severe damage. Anti-virus software continuously scans your computer looking for viruses, and also checks incoming email and websites for potential threats. Updates must be performed regularly to stay current and effective.
• Use spyware protection on computers. Spyware is computer software that is covertly used to gather personal information as well as monitor user activity and surfing habits; but can also have other potentially harmful consequences such as installing additional software, redirecting Web browser activity, accessing websites blindly, changing computer settings, slowing connection speeds and otherwise damaging or interfering with user control. Spyware protection must also be updated regularly to remain effective.
• Protect passwords! Weak password protocols are a common security flaw that can increase risks. Change passwords frequently and use a “strong” password that is difficult to guess or decipher. Use a combination of letters, numbers and other characters. Do not share it with others, and resist saving passwords when prompted to.
• Do not open attachments in emails from people or sources that you do not know. Filter out unwanted spam email using spam filter programs when possible. Don’t click on anything in a spam email, even to unsubscribe. If possible don’t even open it.
• Take precautions when sending sensitive or proprietary information via email. Password-protect documents when necessary.
• Only allow staff access to the information that they need to do their job. For example, as employees move within an organization, access privileges can follow and quickly mount. Ensuring that employees only have access to the information appropriate for their current position can be an essential step in avoiding manipulation and/or loss of data.
• Do not use shared devices (For example, hotel computers) for information that should be protected.
• When possible, encrypt any personal information held electronically if it might cause damage or threat if it is lost or stolen. Encryption is the changing of data into code, a procedure that renders the content of a message or file unreadable to anyone not authorized to read it.
• Audit data storage for security policy enforcement, access control, and proper destruction of appropriate content on a regular basis. Delete information that is no longer necessary, and disable functionality that you don’t need. Do not dispose of old computers until all pertinent information has been securely removed (By authorized technology or destroying the hard disk). Ensure that computers and other equipment are appropriately cleansed (of information, software, etc…) before it is allocated to another employee.
• Always lock your computer when you are away from it. Log off and shut down your computer prior to leaving for the day.
• Develop and implement appropriate security protocols regarding the use of removable storage devices (such as external hard drives, flash drives, etc.). Such devices can hold significant amounts of information and should be carefully monitored and tightly controlled.
• Know how to notify appropriate parties immediately in the event that something (phones, laptops, confidential documents, etc.) is lost or stolen. Understand the appropriate policies and practices and maintain access to an emergency contact number.
• Recognize that information security is not just about protecting the technology—it’s also about protecting physical assets, communications, access controls and every aspect of our information networks. This would include the physical security of company premises, proper disposal of confidential paper waste, etc. It is also about ensuring that your staff is adequately trained so that they know what is expected of them as well.

It is important to remember that good security practices do not stop when you leave the office every day; you also take them with you when you travel or work remotely. In loss prevention you have exposure to different personnel at varying levels in the organization. Being an advocate for strong security practices and cascading best practices to those around you helps increase awareness and protect information. Individuals need to realize that companies do not solely rely on technology alone to keep a company secure. Information security is really everyone’s responsibility.