These 10 critical yet practical data security controls can help your small or mid-sized business safeguard sensitive data and be better prepared for the General Data Protection Regulation (GDPR), soon to become effective May 25th, 2018.
As we highlighted in our last article, GDPR: 10 Key Highlights From The New EU Regulations, we included some important takeaways from GDPR in case you would like to catch up on the latest on the new regulation.
Regulations aside, we though it would be important to include some solid technical security guidance that your small or mid-sized business can use to better prepare for GDPR compliance and in the end improve data privacy for your customers.
As GDPR Article 32 Security of Processing states, organizations that control or process personal data “shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
Such measures include, but not limited to: 1) encryption of personal data; 2) confidentiality, integrity, availability and resilience of processing systems and services; 3) timely availability and access to personal data; and 4) regular testing, assessing and evaluating of the effectiveness of technical security measures.
We expand on these core Security of Processing principles into 10 key relevant security controls that your business can easily implement, even without a Privacy legal expert on staff. We also include guidance from UK’s “10 Steps to Cybersecurity”.
Control 1: Encryption of personal data
Do you store customer or employee data such as names, e-mails, addresses, payment card numbers, or social security numbers on company systems or those hosted in the cloud (e.g., via a database or file system)? If so, you must ensure your data is encrypted via strong cryptographic algorithms such as AES256. Ensure passwords are also encrypted or hashed (e.g., SHA2, SHA3 or stronger) and laptops also use whole disk encryption to protect data if lost or stolen. The primary goal here is to ensure confidentiality and integrity of your customer data and passwords.
Even in the event of a systems breach, the likelihood of a data breach would be minimized with strong encryption. This is also often required to meet regulatory requirements and can help avoid costly fines or lawsuits.
Control 2: Collect and store only what you need
Don’t collect or store what’s not critical to run your business. For example, you should never store credit card numbers if you can use a reputable payment provider to process payments for your website. Don’t collect every single piece of personal information as a “nice to have”, if you only need a few personal data elements to meet your business requirements.
This goes hand-in-hand with the first control, such that you only need to encrypt what you’re storing, which reduces cost and complexity.
Control 3: Build in good resiliency to prepare for a Cybersecurity event
In the event of a cybersecurity event that could disrupt your business operations, organizations must rapidly recover from security incidents and minimize the impact from data breaches. Good recovery planning also includes learning from past mistakes as well.
For example, your company should identify key critical assets and systems that are central to your organization’s mission. Those systems should be continuously assessed to understand weaknesses and dependencies are well understood or addressed. Ensure you have a recovery plan that includes recovery team member contacts, recovery plans and procedures, “out of band” communications, recovery time objectives and offsite storage, just to name a few. See our previous article, Planning for ‘Cyber Event Recovery’ is Critical to Business Resiliency, that includes more details on how to include cyber event recovery into your security program.
Control 4: Secure configuration
Secure configuration includes managing the system software and hardware to a secure set of standards, such as:
- Only use vendor-supported operating systems, web browsers and software.
- Develop policies and procedures for timely patching of systems (such as 14-day SLA for critical patches).
- Create and manage inventory for approved software.
- Conduct regular vulnerability scans.
- Implement good configuration and change control procedures.
- Implement whitelisting (to block unauthorized software from running).
- Implement a hardening baseline for OS.
- Limit users ability to make changes to system configuration.
- Limit user’s privileges on systems.
These secure configuration controls are critical to meet data and system integrity, confidentiality and availability requirements. Also see UK’s “10 Steps: Secure Configuration” for additional guidance.
Control 5: Manage user access and privileges
Managing user access and privileges are one of the most important controls your organization should implement to reduce the chance of unauthorized access to critical data.
Privileged Access is the process of granting administrator or elevated privileges to information resources. Examples of administrator privileges can include access to systems to perform maintenance functions or to provide access to sensitive data or applications. Privileged Access to information resources should be limited using the “least privilege” concept: granting access to only minimum privileges required by the role to meet business and security requirements and no more.
Some safeguards to implement include, but not limited to:
- Establish account management process (e.g., ensure approval/authorization of new accounts, disable accounts then employees leave).
- Establish access control and strong password policies (e.g., complex passwords, no re-use or share of passwords).
- Limit user privileges on systems (e.g., have users login with business account used for business activities that is separate from system administrator accounts used for installing software or making changes).
- Monitor for user access activities to include those with privileges.
- Send security and audit logs to central system (to ensure users can’t change logs).
Also, see UK’s “10 Steps: Managing User Privileges” for additional guidance.
Control 6: Malicious software controls
Malicious software controls are critical to prevent malicious software (or malware) from being installed on systems and to protect sensitive data. The most common control, Antivirus (AV) software, is a common standard that should be installed on servers and workstations and is used to scan and remove malware from systems and removable media.
Additional malicious software controls include network proxy or gateway (anti-malware) devices that can scan incoming e-mail for malware or internet traffic. Internet proxies are also essential to filter, block and log internet user access to websites. Many proxy vendors provide the capabilities to ensure certain websites are restricted via blacklist or by category that may not be commensurate with company policies or may have a higher likelihood of downloading malicious content to company systems. Also, many proxies have filtering capabilities to protect internet download of malicious software.
Systems and networks should be configured to ensure all internet traffic routes through proxies to prevent the capability to access internet via other means, further protecting systems from malicious software and unauthorized disclosure of sensitive information.
Finally, install firewalls on your network perimeter or where appropriate and deny traffic by default.
Control 7: User security awareness and training
User information security awareness is the process of training or making individuals aware of and understand security best practices as well as the organization’s policies and procedures. The main objective is to increase security awareness in order protect the organization’s information from unauthorized disclosure.
Security Awareness program should start with published policies that your employees, contractors and third parties must follow to meet the organization’s business objectives and information protection. Awareness training should then be made available to personnel, performed annually and recorded for historical audit trail and for accountability.
Control 8: Risk assessments and security testing
A Risk Assessment is generally the process of periodically reviewing sensitive systems, business services, and applications to ensure security protections meet the organization’s policies and standards. Risk or security assessments should be performed periodically on assets, services and processes to ensure confidentiality, integrity and availability of information using a defined framework or methodology (e.g. ISO 27001 or NIST 800-53). A framework can help ensure security controls are broad and effective to meet security best practices, organizational policies and regulatory requirements. Higher risk business services should require more frequent assessments than lower risk services to ensure vulnerabilities and risks are mitigated in a more timely manner.
Also, don’t forget about third parties. Third parties that process, store or access sensitive information (e.g., such as your customer data) should be reviewed periodically to ensure third party controls are appropriate for data protection. Examples of third parties could include business process outsourcing, application development outsourcing, consulting, call centers, and data centers to name a few.
Control 9: Network security and monitoring
Network security ensures that the network and connections between systems and network devices are used to support business purposes. Network security consists of network access control, monitoring, segregation, vulnerability management, wireless security and secure device configuration/connectivity, to name a few.
Critical networks should be segregated and controlled based on data classification or critical business services. Segregation can be achieved by separating systems, applications, and networks into groups of services or “domains” (e.g., Development, Internal/Production, Customer/Internet-facing, Perimeter/DMZ or User zones). Small businesses that work in the retail industry, can review our “9 Simple Steps to Lock Down Those Retail PoS Systems,” for good advice on how to also separate networks used for general business activities from critical POS or payment activities.
Wireless access points should also be secured and only allow known devices to connect to corporate Wi-Fi services. Scan for unauthorized “rogue” access points and remove when detected.
Companies should continuously monitor systems for the effectiveness of security controls and the security posture of the organization. Monitoring includes automated or manual monitoring of unusual activity or audit logging of technical controls as well as manual reviews of management or operational controls.
Control 10: Remote access and teleworking security
Remote Access is the process of accessing an organization’s network from a home office or while traveling in order to perform company business. Many organizations allow users to remotely access their networks from a home or remote office to improve their support coverage and to reduce facility or real estate costs (e.g., lower number of desks, phones, building space). The added flexibility and reduced overhead costs increase the need to secure remote access connectivity and home offices and establish Telecommuting policies for rules employees and contractors must follow to protect the organization’s data.
Remote Access (or Teleworking) Policy should include requirements to ensure that teleworking devices on wired or wireless networks, as well as the home office, are properly secured. Examples of controls recommended for teleworking devices include: updated anti-virus software, updated software security patches, login password protection, two-factor authentication, paper shredders and secure wireless networking.
Multi-factor authentication (MFA) should also be implemented for remote users in order to connect to the company internal network or to sensitive networks (such as payment cardholder data networks/systems).
In conclusion, these 10 security controls or safeguards can help improve your organization’s risk posture and be better prepared for GDPR.