Before we can talk about protecting personal information,
the first question you must ask is “What personal information do we process
throughout the organisation?”
Do you understand:
a) How you collate personal information and when?
b) Why you collect personal information?
c) What sort of information do you collect?
d) Who handles it?
e) Where does it go?
Once you have an understanding of the basics you can begin
to define how to control and manage it securely.
The ‘WHAT’ question is an important one, from this
you can determine whether your existing security practices are appropriate.
E.g. an application processing simply names and addresses would need far less
security than an application that records credit card data or medical data.
Steps to securing personal data:
1 – Identify the information processed
2 – Classify the information (e.g. is it public,
confidential or medical)
3 – Value the information in terms of impact of loss.
What impact would it have to an individual or to the organisation if:
a) it was subject to unauthorised access?
b) you could not rely on the information processed?
c) the information was no longer available?
4 – Conduct a risk assessment considering:
a) How you collect the information;
b) How it is processed;
c) The involvement of third party entities;
d) How the information is shared.
5 – Determine the required security controls to help protect
personal information. This will include controls such as:
a) Training and awareness of staff – so they
understand what is expected when handling personal information;
b) Documented policies and procedures;
c) Access controls – ensure that technical controls
are applied so that only authorised personnel can access the information;
d) Data sharing agreements and contracts with third
parties;
e) Data Backup arrangements and recovery plans;
f) Incident management – how will you respond to a
breach to personal information?
6 – Conduct a gap analysis. Identify what security
controls you already have in place.
a) Do they help manage the identified risks?
b) What are the gaps?
c) What can be improved?
Other posts from Privacy Awareness Week
Privacy Awareness Week, Day 1: What is privacy and changes to the Act
Privacy Awareness Week Day 2: Protect your privacy online
Privacy Awareness Week Day 3: What you can do to protect your privacy when using mobile phones
Yvonne Sears
Senior Security Specialist
Senior Security Specialist
@yvonnesearsCQR
www.cqr.com
No comments:
Post a Comment