Features | September 30, 2021
Data Security and Compliance: What You Need to Know
How Much Is Your Reputation Worth?
The news today is full of stories about data being lost, stolen or held for ransom. Big and small businesses alike are experiencing breaches of ever-increasing magnitude, many containing Personal Identifiable Information (PII). Operational security starts with detailed risk analysis combined with a rich control set to reduce the risks to an acceptable level. Having a Service Organization Control Two (SOCII)-certified reporting process can help mitigate risks and is recognized across industries.
What is a SOCII?
The American Institute of CPAs (AICPA) created the SOCII report. It provides a respected and effective security foundation, with controls to cover most compliance requirements such as the Health Insurance Portability and Accountability Act (HIPAA), Health Information Trust Alliance (HITRUST), Gramm-Leach Bliley Act (GLBA), Payment Card Industry (PCI) and more.
The SOCII reporting process is typically performed on an annual basis by a reputable third-party AIPCA firm that attests to the operational effectiveness of the “audited” organization over the previous one-year period by issuing a SOCII TYPE II Report. This assessment can contain hundreds of questions with requests for supporting documents and evidence. The SOCII report helps organize all of this information and reduces the time needed to both provide and evaluate the responses.
Reducing the Risk of Data Loss
The SOCII control set includes hundreds of common criteria. Each criterion will have corresponding controls designed to protect data from being lost or misused. The controls also help reduce the risk of business loss due to missed deadlines and service interruptions. Ultimately, a SOCII certification and program helps to build up a good business reputation.
Increasing Sales and Reducing the Sales Cycle Timeline
Choosing a service provider with an existing SOCII compliance program saves time and money while reducing the need for dedicated IT, security and legal staff. It also helps reduce the sales cycle time, because it is starting from a solid, well-established baseline. Being able to say, “Yes, we have a security program,” opens doors that may otherwise be closed due to laws and regulations.
Many organizations have a requirement that their service partners must have a SOCII or formal security program in place. During the sales Request for Proposal (RFP) process, a bid may simply be thrown out as soon as the reviewer looks at the box for a SOCII and finds a “No.”
Data Security: The Basics
Even without a SOCII certification, there are technical controls that you can use to protect against data loss. Considerthe ones listed below:
- Automation and Data Access: Automation is a key component to an effective, secure workflow. Machine access to data is repeatable, controllable, fast and predictable, and it can be easily audited.
- Data Destruction Program: Data should only be kept as long as necessary and should follow a secure destruction program. A good practice is to have locked shred bins for paper files and an accredited vendor onsite to destroy items in a secure and camera-monitored room. At the end of the process, the vendor should provide a receipt for the activity and serial numbers for any hard drives or physical media destroyed.
- Data Encryption in Motion and at Rest: Data needs to be sent and received securely. Secure File Transfer Protocol (SFTP) uses strong encryption algorithms and authentication protocols. The file is encrypted before being sent across the internet and decrypted at the managed file server upon receipt. But what happens to it when it is decrypted? An option is to use a technology like Pretty Good Privacy (PGP) to encrypt a file before transfer. Then, when the encrypted SFTP file is unencrypted, it remains encrypted on a hard disk until it is needed for processing. Disk-level encryption can satisfy an “at rest” requirement.
- Employee Screening: Criminal background checks for all employees within a secure facility are a must and should be refreshed periodically.
- End Point Protection/Next Generation Antivirus/INtrusion Detection System/Data Loss Prevention: Electronic protection should be at the firewall and the endpoint level (servers, workstations, laptops, mobile devices). Firewalls can monitor behavior on the network and stop it in its tracks if an intrusion or malicious behavior is detected. Endpoints should have active anti-malware, anti-ransomware, and virus protection that is updated multiple times per day with the latest definitions.
- IP Fencing: An Access Control List (ACL) limits the networks and IP addresses that can connect to outside services. Wide-open ports are an invitation to hackers.
- Ongoing Employee Training: A well-educated and trained staff can help keep an organization safe and avoid data loss.
- Penetration Testing and Vulnerability Scanning: This type of daily scan can examine ports and report back any vulnerabilities.
- Pseudo-Anonymization of Data: Data can be kept confidential by obscuring identities. For example, using a ‘ContactID’ in data helps keep the actual contact details, such as name and address, in a separate location until needed.
- System Patching and Maintenance: All systems need to be updated as threats are discovered and should be on a regular cycle of patching and updating. Critical security patches should be addressed immediately to reduce the risk of data loss.
- Vendor Assessment Program: Not only should the vendors be part of the ongoing risk assessment program, but all of their physical and electronic access to the facilities must be controlled, monitored, and audited to assure that they are only accessing areas of the operation that are required.
Data Security in the Future
The need to keep confidential data safe and secure will never disappear. Some states, such as California, are tightening up their privacy laws and including more types of data in the category of Personal Identifiable Information (PII). Rules and regulations for compliance are ever-expanding, and companies partnering with service providers should choose vendors wisely.
Many organizations require that all service providers have a formal security program in place and be open to onsite audits and inspections. Reputation is critical, and any workflow that includes PII and sensitive information should be treated with extra care. Simply increasing the amount of cybersecurity insurance coverage is not a viable or sustainable option. Your best bet to maintaining a stellar reputation is to work with companies that have well-established security programs and are aware of the importance of keeping data secure from loss or theft.
Anna Frosch is a marketing and social media specialist for Ennis, Inc.
For information on securing your data and optimizing your workflow with automation, please reach out to the Critical Communications Division (CCD) at Wright Business Graphics. Our friendly and knowledgeable staff will help you with anything from consulting to implementing a complete secure solution that includes any of our other 50 plus Ennis Network plants and facilities.
Wright Business Graphics CCD
Technology Business/Growth Strategies