Security: Implement Security Guidelines to Protect Sensitive Personal Data
The security of your customers’ and employees’ personal data isn’t something to take lightly these days, so take the time to re-evaluate your security measures in the new year. Consider the following security guidelines for controlling access to information residing on data storage devices, offered by online nonprofit privacy organization TRUSTe in its recently revised white paper “TRUSTe Security Guidelines 2.0.”
1. Use a unique identification or user name for all system users. Ensure that Social Security or account numbers aren’t used as identification or user names.
2. Establish a password usage policy. This policy should require employees to create passwords using a minimum of six alpha-numeric characters. Prohibit passwords based on account numbers, user names, Social Security numbers or publicly available personal details, such as birthdays, or names of children or pets, TRUSTe writes.
3. Assign access to customer or employee information on a need-to-know basis. The level of access should relate to job function and should not be based on organizational position or rank.
4. Implement an authentication process to access customer data. When feasible, require employees to go through a two-factor authentication procedure before allowing access to sensitive customer information. The authentication process could include, for example, passwords and biometric identifiers, which can be implemented on computers.
5. Force appropriate session timeouts. A system or storage device should be idle for no more than 15 minutes before the user automatically is logged off the system.
6. Identify and eliminate inactive accounts. “Accounts of terminated employees and contractors should be shut down within 24 hours,” write the white paper’s authors. Additionally, be sure to regularly cross-check user accounts against human resources’ records to ensure that former employees’ access has been terminated.
For more security guidelines, visit http://www.truste.org/about/securityguidelines.php.