As we continue to talk about creating a cyber security plan, we have to touch on infrastructure and systems management.The potential privacy impact is assessed when new processes involving personal information are implemented, and when changes are made to such processes (including any such activities outsourced to third parties or contractors), and personal information continues to be protected in accordance with the privacy policies. For this purpose, processes involving personal information include the design, acquisition, development, implementation, configuration, modification and management of the following:
- Infrastructure
- Systems
- Applications
- Websites
- Procedures
- Product and services
- Databases and information repositories
- Mobile computing and other similar electronic devices
Minimum Third Party Audits
Whether you outsource or insource, a minimum third party audit you should conduct is a Penetration Test conducted by a reputable group. These Penetration Test (Pen Test) attempt to break through your security and provide feedback on areas you should correct. If your information is accessible via the Internet, it is highly recommended that you conduct Pen Testing annually.
Public Privacy Statement
Companies that maintain NPI must publish to the public your commitment to secure the same. If any information is used outside of the processing you are providing (e.g., selling mailing list names collected) you must disclose that practice in your public notice.
Clean Desk Policy
Clean Desk and Clear Screen (CDCS) Policy ISO 27001/17799 are simple steps intended to protect NPI when you are not present in the office. Clear desk and clear screen policy are used to reduce the risks of unauthorized access to, or loss of, or damage to, information. This requirement should be contained in the user access authorization document.
- Ensure that appropriate facilities are available in the office in which, depending on their security classification, computer media (disks, tapes, CDs) and paper files can be stored and locked away, including lockable pedestals, filing cabinets and cupboards.
- Sensitive information should be locked away in a fireproof safe (and the security adviser will have to access the fire resistance of the safe in terms of the sensitivity of the information inside it and its location in order to ensure its survival for long enough to be rescued).
- Personal computers, computer terminals and printers should be switched off when not in use and should be protected by locks, passwords and the like.
- Everyone should be required to use password protected screen saver that automatically fires up after only a few minutes (between three to five is reasonable) of inactivity.
- Incoming and outgoing mail collection points should be protected or supervised so that letters cannot be stolen or lost, and faxes and telexes should be protected when not in use.
- Photocopiers should be switched off and locked outside working hours; this makes it difficult for unauthorized copying of sensitive information to occur.
- All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.
We’ll talk more about this next week. Stay tuned.