Ask The Expert Featured Article

February 12, 2013

Beginner's Guide to Data Security and Information Security Compliance & Audits

By TMCnet Special Guest
Flavio Villanustre and Belinda Hickling, VP of Information Security, LexisNexis Risk Solutions and Information Security Officer and Director of Hosted Services, Latitude Software

This article originally appeared in the Jan./Feb. 2013 issue of CUSTOMER magazine.

In virtually any regulated industry, compliance is at once a legal requirement, a risk management strategy, and an ethical imperative. Healthcare, insurance, finance, and especially accounts receivable management, compliance is a full-time concern. Or at least it should be. If you are a third-party collector for a creditor, for example, chances are good that, at some point, you’ll be audited for recovery performance as well as compliance practices. Moreover, in this era of consumer lawsuits, no company that deals with consumers on a regular basis can be effective if it isn’t fully cognizant of compliance issues.

Here are some critical steps that can help reduce risk both for compliance and security.

Goals for a comprehensive data security program

The primary objective in designing a data security program is to mitigate risks. To that end, first identify the different data types and classify them based on company needs and legal and regulatory frameworks. This approach allows for a straightforward determination of data value, and helps determine protective measures to be implemented, along with associated retention requirements. Thereafter, implementation must be part of a coordinated comprehensive information security program, with adoption and support from the top of the organization.

10 steps to data security

1. Inventory: Know what data you have and where it resides. Label data repositories and data records, and use these labels (maintained in electronic logs) to track individual records along their lifetimes.

2. Research: Understand the laws and regulations that could apply to data, as well as the controls that various regulations require.

-Is encryption of data at rest required?

- How long should this data be retained?

- Is there ongoing litigation that would require retaining this data for a longer period of time?

- What is the value to the business?

-What is the risk level associated with the loss/exposure?

- Is any of this data subject to credit card industry PCI (News - Alert) compliance?

- Is off-site backup of this data needed?

3. Access controls: Identify groups that should have access to data, compare them with people who should have access based on data sensitivity or regulatory requirements, and then correct the gap. To prevent unauthorized access, implement an authorization process during access provisioning, and ensure an expedited access revocation process upon job role changes or terminations. Additional measures should include periodically reviewing the access process, and ensuring that data is made available only on a need-to-know basis.

4. Application security: Review the security of all applications that have access to your data. If applications are built in house, implement a Secure Development Lifecycle process to provide defensive coding practices training, foster code reviews, and perform regular application security assessments. If applications are commercial apps, ensure that vendor notifications on security issues are promptly handled, and that updates and patches are swiftly deployed.

5. Infrastructure security:

-Verify that any external access to data repositories is properly vetted, and that adequate isolation is in place across the network architecture.

- Implement physical access controls where applicable.

- Implement a data disposal program to ensure that magnetic and non-magnetic media is securely wiped before their removal from secure environments.

- Deploy data encryption at rest and/or full disk encryption if any data repositories leave the secure perimeter (laptops, mobile devices, off-site backups).

-Ensure that transmission channels are encrypted for sensitive data.

-Implement two-factor authentication if external access is required to sensitive data.

6. Data retention policies: Define a consistent policy and communicate it across the organization. Avoid complex classifications and keep the number of categories to the minimum required by law, regulations or company needs.

7. Data loss prevention: Implement a system to detect and block accidental and/or intentional data leaks.

8. The human factor: Conduct background screening as part of your hiring and contracting practices, and provide regular awareness campaigns and training for data security and cyber threats.

9. Audit: Assess regularly the effectiveness of all security measures and apply corrective actions to improve controls over time.

10. Transfer residual risk: If, after applying the previous nine security steps, the residual risk is still not acceptable to the level of risk tolerance of the organization, transfer part of this risk by contracting an insurance policy to cover it.

Information security compliance audits

The best approach here is to answer three high-level questions with regards to information security compliance:

1. What are you trying to accomplish? Begin by clearly defining your requirements.

2. Which compliance framework are you trying to achieve? Determine guidelines that most cleanly align with your requirements: PCI-DSS 2.0, SSAE-16 (replaces SAS (News - Alert) 70), ISO1799 27001 (compliance), ISO 17799 (certification), COBit, and COSO.

3. Who or what is driving compliance efforts? Include all stakeholders and influencers. Many times compliance efforts are driven by clients. When that’s the case, take the time to ensure that client requirements are legitimate, and appropriate for your organization.

Download the complete whitepaper to learn more:

Beginner’s Guides to Data Security and Information Security Compliance & Audits

Visit | www.inin.com/whitepapers




Edited by Brooke Neuman


Related Contact Center Solutions Articles

    Contact Center Solutions Week in Review: Interactive Intelligence, Aspect Software and Nice Systems

    What an unusual week in the Contact Center Solutions Community. I never thought I would use the word "war" in an article for the community, but interestingly in different context I ended up using it not once but twice. [ Read More ]
    11/22/2014

    Aspect Software Declares War in Workforce Optimization Market

    We may be closing in on the holiday season and a time of "good cheer," but reality is that competition in business is a 24/7/365 affair. And, depending on whether you are a competitor or possible customer, it looks like this holiday season thanks to a new initiative by customer experience solutions provider Aspect Software you are either looking at a possible lump of coal in you X-mas stocking or a valuable present. The reason is Aspect has dropped the gloves in the hotly contested Workforce Opt… [ Read More ]
    11/21/2014

    Ozonetel Integrates CloudAgent with Zoho CRM

    A big part of improving the customer experience, regardless of whether you are an enterprise or a service provider, is breaking down the silos of customer information that exist inside an organization. Having a full view of the customer is important to customer lifecycle management and hence the overall customer experience. And, one of the big places to look for enhancing visibility into all things customer related is obviously tight integration with various capabilities with customer relationsh… [ Read More ]
    11/21/2014

    LiveVox Data Center to Bring Cloud Contact Center Capabilities to Canada

    As financial results from various contact center and unified communications (UC) solutions providers continue to flow in for this quarter two things are becoming increasingly clear. First, is that those seeking to upgrade their customer experience capabilities are accelerating the adoption of the cloud and hybrid solutions as their preferred path. Second, is that North America continues to be the hotbed of this with not just the large U.S. market as a target of opportunity, but also the vibrant … [ Read More ]
    11/21/2014

FOLLOW US

Contact Center Solutions Glossary of Terms

Featured eBook

    All Things Customer Interaction Solutions eBOOK
    It has been said that customer interaction centers are the front door to any organization's value chain. This is an accurate description of the transformations taking place in contact centers as a result of enhancements in multichannel communications, speech analytics, IVR capabilities, integrations with unified communications capabilities (UC) and other collaboration tools and applications, and the move to the cloud...

Featured Whitepaper

    Microsoft® Lync® in the Contact Center: Integrating with Customer Interaction Center™ to Provide a Barrier-free Customer Experience To implement contact center functionality, organizations using Microsoft Lync Server 2010 can follow the unified communications blueprint of open standards interoperability and integrate to a contact center solution of their choice. Customer Interaction Center (CIC) from Interactive Intelligence is a proven best of breed contact center solution that merits consideration ...

Featured Success Story

    Contact Center Solutions Featured Success Story
    Interactive Intelligence all-in-one IP communications software suite integrated with Microsoft Lync helps Bentley save $200,000 annually.

Featured Product Demo

    Contact Center Solutions Interaction Analyzer™
    Interaction Analyzer™
    Real-time word and phrase spotting. Alerting. Analytics. Scoring. Coaching. Watch how Interaction Analyzer turns every moment, of every past and present call, into data that lets you deliver an exceptional customer experience.

Featured Resources

Ask the Expert