Info Governance: Crafting an Effective Data Security Policy

How concerned are companies about data breaches? In a recent survey, executives said they worried more about leaks of customer or employee data than natural disasters or investigations by the Securities and Exchange Commission.

The survey, conducted last year by Chubb found that corporate executives rank “an electronic security breach of customer or employee data” as generating the greatest level of fear of potential lawsuits or financial losses. More than three-fifths of respondents said they were somewhat or very concerned about a data breach.

The concern is understandable. In 2011, the number of records compromised through data breaches hit 174 million, according to the Verizon 2012 Data Breach Investigations Report. It's a trend that shows no sign of slowing. During the past few months, bookseller Barnes & Noble, the South Carolina Department of Revenue, and Nationwide Insurance, to name just a few, all experienced significant data breaches.

Moreover, the average annualized cost of a cybercrime in 2012 was $8.9 million, up about 38 percent from the preceding two years, Ponemon Institute reports. The price tag includes the cost of lost information, business disruption, and detecting and investigating the incident.

While no organization can completely insulate itself from a data breach, a relevant and effective data security policy is a solid starting point. Even if a company has an existing data security policy that hasn't been reviewed in the last year or so, the rapid pace of technology has likely rendered it obsolete.

As more employees access the corporate network from their own devices, for example, companies have to decide whether the current password policies should still apply. Failing to consider these and other developments may mean that companies are inadvertently “granting exceptions to policies without doing full risk assessments,” says Joe Kurlanski, vice president at Sage Data Security. 

New legislation also can necessitate modifications to organizations' data security policies. For example, earlier this year the U.S. Department of Health and Human Services announced new rules to protect patient privacy, including extending privacy requirements to health care organizations' business partners, such as contractors. Millions of entities need to update their policies based on the new regulations, says Rebecca Herold, an information security consultant. 

Data security policies may require more frequent reviews than any other company policy, due to the rapidly changing technology environment and the requirements that govern it. That's not to suggest that developing an effective global data security policy is easy. For starters, organizations that operate internationally are subject to multiple, and at times competing, regulatory requirements. Similarly, companies with product or service lines that cross industry sectors may be governed by varying sets of regulations, says Fred Cate, a professor at Indiana University School of Law and director of the University's Center for Applied Cybersecurity Research. “It's not at all unusual for companies to have multiple data compliance requirements,” he says.

In light of these challenges, a few principles generally apply when organizations are crafting data security policies. To start, a simple, broadly applicable and easily understood policy typically is more effective than one that attempts to detail all possible scenarios and responses. Overly detailed policies quickly become hard to follow. “The moment people say, ‘I have to look it up,' it makes it harder to comply,” Cate says.

Instead, the goal should be a global policy that outlines the organization's security objectives. For instance, a policy might state that the organization will ensure that access to critical systems can be restored within two hours of an outage, and with no more than ten minutes of lost data, Kurlanski says. This type of policy likely will be relevant in all the countries or industries in which the company is operating, he explains. Trying to draft separate policies for each region or market quickly can get unwieldy, since all the documents will need to be regularly reviewed and updated. 

“How can you protect the information if you don't know where it is? Resolving this often requires documenting the lifecycle of the data.”

—Rebecca Herold,

Information Security Consultant

If some regulations apply only to a specific unit of an organization, they usually can be addressed in the procedures developed to implement the policy, Herold notes, rather in the policy itself. For example, if one government body requires local businesses to retain documents for a certain period of time, supporting procedures can address the affected business unit's need to securely comply with this mandate.

The supporting procedures also can cover technical processes in more depth. They might outline, for instance, the steps needed to securely operate a company's POS systems in all its stores, Cate says.

Buy-in at All Levels

Essential to an effective security policy is support among both executives and employees. “You can't create a corporate policy without high-level buy-in,” Kurlanski says. But if employees resist them, they won't work either. Most security policies impact employees' day-to-day jobs in ways that aren't always convenient—say, by limiting their ability to use their own devices when accessing the corporate network. Although not a panacea, broad support for the policies reduces the likelihood that employees will try to circumvent them. This is the thinking that led many companies to abandon efforts to keep employee-owned devices out of the workplace, for example.

At the same time, employees need to understand and support the policies. Adopting an air-tight security policy does nothing if employees aren't trained on what it entails. “Good security awareness is based on changing behavior,” says Ira Winkler, president of the international board of directors at the Information Systems Security Association and president of Internet Security Advisors Group. Winkler points out that many breaches occur as a result of employees' actions, such as unknowingly opening an email that introduces malware into the system. The goal is to foster a culture in which employees understand data security and the role they can play in enhancing it.

                     ABOUT THIS SERIES

Compliance Week's six-part series, “The Lifecycle of Information Governance,” sponsored by HP Autonomy, will examine all the elements of handling information properly—from creation to storage to destruction—and how compliance departments should address each element. Click on the links below to access this exclusive series.

Part 1: Crafting an Effective Data Security Policy, Feb. 12

Part 2: Catching and Managing New Data, Feb. 20

Part 3: Get Data Classification Right First

Part 4: Protecting Data From Inside & Outside Threats, March 12

Parts 5 and 6: To Be Announced

A solid security policy will require input from a range of departments. Depending on the company, this may include security, information systems, legal, compliance, human resources, and business unit representatives. Information security typically takes the lead, Kurlanski says.

Bringing together representatives from multiple departments not only tends to lead to better policies, but it also “helps re-forge relationships between departments,” Kurlanski says. Too often, it becomes easy for the operating units to view security as a hurdle to overcome. Working as a team to draft a policy can mitigate this tendency.

Increasingly, effective security policies also need to account for an organization's outside business partners, such as IT service providers. For example, outsourcing the storage of electronic data doesn't relieve an organization from the obligation to make sure it's secure. “You want to make sure [your data] isn't sitting in Earl's garage around the corner,” Kurlanski says.

Where Policies Fall Short

Experts also point to several mistakes that are easy to make when developing a data security policy. One is simply not knowing which information should come under the policy, says Herold. “What information do you need to protect?”

Similarly, some organizations have a difficult time determining just where the information resides, Herold adds. “How can protect the information if you don't know where it is?” Resolving this often requires documenting the lifecycle of the data, she says. Where is it created? Where does it go? Who has access? Finally, what's being done with it?”

Another potential trouble spot is developing a policy without having the resources to actually implement it, Kurlanski notes. Say an organization's policy states that it will regularly scan for rogue access points, but the organization lacks any practical way of doing this. Ignoring this provision can lead to legal troubles; if a breach occurs, regulators will want to know why the organization didn't do what it had stated it would to protect the data.

Finally, it's not unusual for organizations to focus on securing their data collection and storage processes, but then to overlook data disposal, Herold says. “A large percentage of data breaches come from poor or lacking disposal practices.”

Avoiding these mistakes and putting in place solid policies can form a foundation for an effective data security program, reducing the risk that an organization falls victim to a breach. The Verizon report found that 96 percent of attacks were not highly difficult, and that 79 percent of victims were targets of opportunity. As the report states, “Most victims fell prey because they were found to possess an identifiable weakness rather than because they were pre-identified for attack.”