The Federal Trade Commission (FTC) published a new guide: Start with Security: A Guide for Business. The FTC derived these ten lessons from the 50+ data security settlements reached with companies in recent years. Given how the Wydham case confirmed that the FTC has enforcement authority in this area, companies should assess, and document, their data security practices with reference to these ten practical guidelines.
1. Start with security. Businesses should start with security, and incorporate it into the decision-making in every department. By not collecting personal information they don’t need, using it only when necessary, and holding on to information only as long as they have a legitimate business need, business can reduce their risk of compromise.
2. Control access to data sensibly. Businesses should implement controls for personal information, restricting access on a "need to know" basis and limiting the administrative access to only users authorized to make system-wide changes to the system. That is, they should tailor employees' access to those employees' job needs.
3. Require secure passwords and authentication. Strong authentication procedures can prevent access by unauthorized individuals. Businesses should insist on complex and unique passwords, store passwords securely, guard against brute force attacks, and protect against authentication bypass.
4. Store sensitive personal information securely and protect it during transmission. Both at-rest and in-transit personal information should be stored securely. Businesses should keep sensitive personal information secure throughout its lifecycle, use industry-tested and -accepted methods and standards, and ensure proper configuration to make sure that encryption and other methods take their desired effect.
5. Segment your network and monitor who’s trying to get in and out. Segmenting a network to limit access between computers is another useful safeguard. Businesses should segment their network and monitor activity on the network with tools like system logs or intrusion detection systems.
6. Secure remote access to your network. With an increasing number of employees, clients, and service providers accessing businesses via their mobile network, businesses need to make sure those access points are secure. This involves ensuring endpoint security and putting sensible access limits in place (for example, restricting third-party access).
7. Apply sound security practices when developing new products. Sound security practices also apply during the product development, design, testing, and roll-out phases. Businesses should train their engineers in secure coding, follow platform guidelines for security, verify that privacy and security features work, and test for common vulnerabilities.
8. Make sure your service providers implement reasonable security measures. Service providers should also be made aware of and held to businesses' security expectations. Businesses should put their expectations in writing, ensuring that appropriate security standards are part of their contracts. They should also verify compliance with those terms by asking questions and following up.
9. Put procedures in place to keep your security current and address vulnerabilities that may arise. Because data security is an ongoing process, businesses should continually revisit their practices to make sure that they're managing their vulnerabilities. Businesses should update and patch third-party software and heed credible security warnings and move quickly to fix them.
10. Secure paper, physical media, and devices. While network security is important, many of the same lessons apply to paperwork and physical media. Businesses should securely store sensitive files, protect devices that process personal information, keep safety standards in place when data is in transit, and dispose of sensitive personal information securely.