Establishing a Business Security Plan
All businesses that conduct business via the Internet have a
responsibility to keep their data safe. When a customer registers to
receive information or to purchase a product from your business, it's
very likely that they are trusting their personal information to you
as part of the process. If their personal information is compromised,
the consequences can be far reaching and dire. Your business' risks
commence with upset customers who may be unwilling to continue doing
business with you through jail time and large fines.
The standard to which business owners are held has risen dramatically
over the past year. These days, it's considered common sense that any
business that collects personal information from customers also would
have a security plan to protect the confidentiality and integrity of
the information. For financial institutions, it's an imperative: The
Gramm-Leach-Bliley Act and the Safeguards Rule, enforced by the
Federal Trade Commission, require financial institutions to have a
security plan for just that purpose. Due to other recent laws and
regulations, such as the Sarbanes-Oxley Act and HIPAA regulations,
business data security imperatives are being brought into the mainstream.
The threats to the security of your information are varied -- from
computer hackers to disgruntled employees or even simple
carelessness. While protecting computer systems is an important
aspect of information security, it is only part of the process.
Security Plan Implementation
Sound security for businesses means regular risk assessment, effective
coordination and oversight, and prompt response to new developments.
Following are some points all businesses need to consider as you
design and implement your information security plan:
- Identifying internal and external risks to the security,
confidentiality and integrity of your customers' personal information
- Designing and implementing safeguards to control the risks
- Periodically monitoring and testing the safeguards to be sure they
are working effectively
- Adjusting your security plan according to the results of testing,
changes in operations or other circumstances that might impact
- Overseeing the information handling practices of service providers
and business partners who have access to the personal information. If
you give another organization access to your records or computer
network, you should make sure they have implemented sufficient
security of their own.
When setting up a security program, your business should consider all
the relevant areas of its operations, including employee management
and training; information systems, including network and software
design, and information processing, storage, transmission and
disposal, and contingencies, including preventing, detecting and
responding to a system failure. Although the security planning
process is universal, there's no "one size fits all" security plan.
Every business faces its own special risks. The administrative,
technical, and physical safeguards that are appropriate really depend
on the size and complexity of the business, the nature and scope of
the business and the sensitivity of the consumer information it keeps.