A Guide for Guarding Personal Information in the Workplace

Check all computers, storage disks and other file storage devices to determine where your company keeps sensitive information. Preferably, you should have all information organized according to type and location. Remember to thoroughly search all areas where personal information could possibly be stored: file cabinets, desktops, laptops, portable hard drives, mobile phones and other related devices. Also, take note of information received through websites, business associates and other sources.

Determine what personal data reaches your business by speaking with different department representatives in your company as well as reaching out to external service providers. Make sure you have a concrete idea of the following:

• The source of personal information transmitted to your business. Where does your business get information? Is it from credit card companies, customers, contractors or other businesses?
• Process of receiving personal information. How do you receive information? Is it through email, post or fax? Do you receive it through websites?
• Type of information collected. What kind of personal information does your business receive or require from customers?
• Ways of storing the personal information your company receives. How is information stored? Where is it stored? Is it stored in employees’ laptops or home computers? Is it kept in filing cabinets? Is it transmitted to satellite offices?
• Individuals who have (or potentially have) access to the information. Which individuals in your company are authorized to access the information? Who else outside your company has access to it? Are contractors, suppliers or IT personnel able to get hold of that information?

There are unique risks associated with different kinds of information. You should always maintain awareness of the methods by which personal information is being stored. Sensitive information such as credit card details and social security numbers is most prone to abuse and violation by fraudulent individuals.

• Information should only be used for legal purposes. An example of this is using one's social security number when reporting taxes. Avoid using information such as an employee or client identification number.
  
• Whenever possible, you should immediately delete credit card information once the business need for such details has been fulfilled. Avoid keeping this information longer than necessary as this will greatly increase the likelihood of identity theft and fraud.
  
• Make sure the software used for processing your customer's credit card details is not set to remember or retain this data permanently.
  
• Should there be a need to keep sensitive information for business purposes, make sure there is a clearly defined set of rules about what kind of information should be stored. These rules should encompass the length of time that the data will be stored, the methods used for storing it and proper disposal when the information is no longer needed.

Physical Safety

• Companies frequently lose sensitive personal information through lost documents or stolen paper files. Typically the best way to prevent this is to securely lock doors and maintain a high level of vigilance with paper documents in storage.
  
• Enact a strict policy for employees to keep sensitive personal information in locked rooms or locked file cabinets. The documents should only be removed when there is a legitimate business need to do so. Employees should always observe precautionary measures, ensuring they do not leave sensitive documents on their desk while they are not at their stations.
  
• Only employees with a legitimate business need for documents containing sensitive personal information should have access to storage in locked rooms and file cabinets. Monitor and control those who have the keys and the number of keys they hold in their possession.
  
• Constantly remind employees to shut down their computers, return files and securely lock file cabinets and office doors before going home.
  
• Apply sufficient access control for your building. Encourage employees to always report suspicious persons or activities within the building.
  
• When shipping sensitive data, keep a record of the information that was sent, and when possible, use an overnight courier service which enables you to track the status of the delivery.

Electronic Safety
Computer security should not be an area of concern for solely IT professionals. As a business owner, you should maintain an awareness and understanding of the security risks associated with your computer systems.

General Network Safety

• Be aware of which computers, laptops and servers have sensitive data stored.
  
• Determine the equipment and devices that have connections to the computers where sensitive personal information is stored. This could be computers in various satellite offices, cell phones, computers connected via the Internet and others devices.
  
• Avoid storing sensitive personal information on computers that have an Internet connection unless there is a legitimate business need to do so.
  
• Make sure all anti-virus and anti-spyware programs are updated, and establish a schedule of regularly running virus scans on all computers as well as your network servers.
  
• Analyze your computers and connections in order to evaluate which are most vulnerable. Use your own discretion to determine whether you need to hire experts to execute this.
  
• Keep yourself and your employees informed on the latest vulnerabilities and dangers by investigating software manufacturers and expert websites. Implement strict policies for using vendor-approved patches to solve problems and remedy irregularities.
  
• See to it that you use a secure connection such as SSL (Secure Sockets Layer) when sending or receiving sensitive personal information such as credit card details.
  
• Stay on top of your web application security. Web applications are at high risk for a wide range of fraud and other malicious attacks. Make sure you have the necessary defenses to counter these unfortunate incidents.
  
• Check the computers in your network to determine which systems do not require certain programs or software and disable access from that particular unit. This can greatly assist in preventing or minimizing illegal access.

• When creating a password, it is recommended to choose a complicated one that cannot easily be guessed. Encourage employees to choose an alphanumeric password with a combination of special characters to make it stronger. Passwords should always be different from the username. If possible, it is wise to change passwords periodically.
  
• Activate screensaver passwords to lock computers which are not in use after a specified period of time.
  
• After installing new software on your computers, be sure to change the default password supplied by the vendor. Remember to use a strong password to discourage hacking and other fraudulent activities.
  
• Prohibit employees from divulging their passwords or writing them down and posting them on their desks.
  
• Block users who key in the incorrect password after a specified number of login attempts.
  
• Caution employees against giving out their passwords to anyone who claims to be calling from the IT department. Fake calls intended to trick employees into giving out sensitive information are common within companies. Frequently remind employees that it is strict company policy to NEVER divulge passwords to others.

• Limit laptop use to those with a business need for mobile computing in order to carry out work-related tasks.
  
• Identify sensitive information stored in your laptop and determine the data that no longer needs to be stored. If specific information is no longer necessary, delete it using a wiping program which overwrites the information on the computer. Using the standard keyboard command or mouse procedure for deleting files is not enough to totally wipe the information from your hard drive.
  
• Ensure that laptops have secure storage, or use locks and wires to securely hold laptops in each employee’s workstation.
  
• If possible, allow employees to access sensitive data through their laptop but restrict the ability to store this information. Using this method, data is stored in a secure central system and the laptops serve as terminals that display the data from the central computer without creating local copies. For even more stringent security, access to the central computer would require a thumb print or other biometric authentication coupled with a password.
  
• For laptops which must store sensitive information, encrypt the information and manipulate the settings in such a way that users cannot download or install any software that will make unauthorized changes to the security settings for the encrypted data.
  
• Always remind employees to be extra vigilant while traveling. Teach them some basic yet significant practices for ensuring security. For instance, require that they always keep the laptops and storage devices in their presence and never leave them in areas where they cannot keep a close watch.

• It should be a company requirement to enable a firewall for all computers. A firewall makes it difficult for hackers to remotely access your computer. If your firewall settings are properly configured, any attempts to locate your system and gain access to your files will be prevented.
  
• Depending on the need, you may also choose to install a border firewall which isolates your network from the Internet and can hinder attempts to illegally access a computer where sensitive personal information is stored.
  
• Install additional firewalls on computers where sensitive information is stored if other computers in the same network are not storing the same data.
  
• Enable firewall access controls and review them regularly to keep track of the data that will be accessible and the number of employees who are allowed to access this data.

• Determine whether your company uses wireless devices or cellular phones to send and receive sensitive data. If this is the case, limit those who can use such devices to access your computer network.
• Encrypt data that’s transmitted from wireless devices to your computer network and when allowing remote access to your computer for troubleshooting or updating software. This makes it more difficult for hackers to access the information. This also discourages spoofing, which is practice of outside parties impersonating your computers in order to gain access to your network.

• Maintain a central log file for all information involving security in order to keep track of what is taking place in your network and more effectively detect and deal with attacks. Should there be any attacks on your computer the central log will provide information that can help you determine which computer has been attacked.
• Install a system for detecting intrusion. This intrusion-detecting equipment should be updated regularly to maintain the capability of responding to new kinds of threats.
• Keep a close watch on incoming traffic and user activity for indications of possible security violations.
• Outgoing traffic should also be monitored. Always check if there are unusual amounts of data being sent from your network to an unknown recipient.

No matter how in-depth your written plan for information security is, the success of the plan depends on those who execute it. In order to ensure effectiveness, take the time to sit down with your employees and thoroughly explain the rules. Provide them with proper and sufficient training in identifying security issues and vulnerabilities. Schedule regular training sessions to make sure your employees possess a complete understanding of the security practices utilized by your company.

• Before hiring people who will be dealing with sensitive information, run a thorough background check to ensure that the information you are protecting will not be violated.
  
• All new employees should be required to sign an agreement stating that they will always conform to your organization's rules involving confidentiality and security of sensitive information. Constantly remind the employees of these rules and policies to ensure that no sensitive data will be compromised.
  
• If an employee leaves your company or transfers to another department, make it standard operating procedure to remove that employee's access to sensitive information. Disable passwords and ask them to return IDs, keys and other related items as part of the departure process.
  
• Instill in your employees the value of information security by conducting regular employee trainings including all employees in all departments and levels. Make it a priority to inform employees about new risks involving information security.
  
• Constantly remind employees about your company's information security policies. If possible, post printouts of these policies in employee workstations or wherever sensitive data is stored. Your information security policies should apply to employees who work from home or and those who telecommute.
  
• Make your employees aware of phone phishing. Remind them to always be cautious when strangers call to ask for account details in order to complete transactions. Employees should verify calls by contacting the companies through their official contact numbers.
  
• Tell employees to inform you right away should there be any possible incidents of security violation or breach.
  
• Enforce strict disciplinary procedures for any employee violation of security rules.
  
• To learn more about computer security, you can visit www.onguardonline.gov for further information.

Security Practices for Contractors and Service Providers
The efficiency and effectiveness of your company's security practices depend on those who carry it out, including service providers and contractors.

• Prior to hiring outside services for your business processes, learn as much as possible about the contractor/provider's information security practices and determine whether they meet your standards and expectations.
  
• Raise security concerns with your service providers according to the type of data that they should deal with, as indicated in your contract with them.
  
• Remind your service providers to keep you informed of security incidents that they encounter even if they do not directly affect your data.

Trim down non-critical data, but do it with proper precaution.
Sure, you can easily organize files and documents by throwing the unnecessary ones straight into the trash bin. But when you're dealing with personally identifying data, merely throwing it into the trash could be an invitation to fraud and identity theft. It is extremely important to render the information unreadable before disposing of it. This will ensure that any attempts of fraud will be foiled.

• Enforce sufficient and appropriate measures for the proper disposal of information to prevent illegal or unauthorized use of the sensitive information. The development of these measures may be based on various factors, such as the degree of sensitivity of the data, changes in current technology and disposal methods.
  
• Properly dispose of paper files that are no longer necessary by shredding them before throwing them away.
  
• Use a wiping program to delete information from old computers and storage devices. Wipe utility programs overwrite information on the computer. Using the standard methods of deletion for removing files is not enough to totally wipe the information from your hard drive.
  
• If your business uses consumer credit reports, check out business.ftc.gov/privacy-and-security to learn more about the disposal rules of the FTC.

• Always maintain readiness with steps and procedures formulated as a response to security breach. Assign competent staff to carry out the procedures.
  
• If you can determine that a computer has been hacked or illegally accessed, be sure to immediately disconnect the computer from the Internet.
  
• Identify the people who must be notified in cases of compromised security. If you are unsure of who to notify, you should consult your lawyer on the subject.