Data security is becoming an increasingly prominent concern as technology becomes more integral to the management of education, social service, and employment records. Data breaches jeopardize confidentiality, undermine public trust, and result in significant financial investment in victim compensation programs and new security strategies.
Data security programs involve the management of people, processes, and technology to ensure physical and electronic protection of individual privacy and confidentiality. They balance the need to protect personally identifiable information (PII) while maintaining quality, transparency, and necessary access to the data. To ensure that all aspects of a security plan are executed properly, the program should offer clear guidance and tools for implementing security measures, including the following:
- Policy and governance: Outline organizational policies and standards regarding data security and individual privacy protection. The plan should clearly identify staff responsibilities for maintaining data security and empower employees by providing tools they can use to minimize the risks of unauthorized access to PII.
- Personnel security: Create an Acceptable Use Policy that outlines appropriate and inappropriate uses of internet, intranet, and extranet systems. Incorporate security policies in job descriptions and specify employee responsibilities associated with maintaining compliance with these policies. Conduct regular checks and training to ensure employee understanding of the terms and conditions of their employment. Confirm the trustworthiness of employees through the use of personnel security screenings, policy training, and binding confidentiality agreements.
- Physical security: Make computing resources physically unavailable to unauthorized users. This may include securing access to any areas where data that carry the risk for harm from an unauthorized or inadvertent disclosure are stored and processed, such as buildings and server rooms. Strategies include administering identification badges and requiring staff and visitors to log in prior to entering the premises or accessing the resources. Alternatively, data can be placed in a secure data enclave that can only be accessed by authorized users.
- Network mapping: Document enterprise tools (such as servers and routers) and their connections, applications and associated data, as well as dependencies between applications, data, and network layers. Highlight potential vulnerabilities.
- Inventory of assets: Document authorized and unauthorized devices used in your computing environment that could be scanned and discovered by automated programs that are searching the internet for vulnerabilities.
- Authentication technologies: Ensure individuals are authorized to access network assets, services, and information. For example, in two-factor authentication, after a user enters a password, they then must enter a passcode that has been sent through another mechanism that has been associated with a specific user, such as through an app, text or email.
- Provide a layered defense: Employ an architecture that uses a wide spectrum of tools arrayed in a complementary fashion, such as separate safeguards for individual computers, applications, networks, and the physical perimeter.
- Secure configurations: Do not put any hardware or software onto a network until it has been tested and configured to optimize its security. Continuously scan to ensure system components remain in a secure state and establish a comprehensive change management program to analyze and address security and privacy risks introduced by new technology or business processes.
- Access control: Require strong passwords and set limits on the length of data access, such as locking access to a device after the session timeout. Assign and limit access to sensitive data and administrative privileges. Assign specified roles and privileges based on specific roles, for example by only allowing high-level administrators to see PII. Store sensitive data on a different server from other types of data with additional protections like encryption.
- Implement firewalls: Configure devices that permit or deny network transmissions based upon a set of rules to prevent unauthorized access while permitting legitimate communications to pass.
- Intrusion detection/prevention systems: Deploy monitoring devices that detect malicious activity on the network, report suspicious activity to a central monitoring point, and potentially automatically take remediation action.
- Automated vulnerability scanning: Scan your network and systems on a regular basis to address new vulnerabilities to hardware, operating systems, applications, and other network devices, such as new viruses.
- Patch management: Develop a plan for testing and rolling out of software updates and patches (a piece of code that protects computers and applications by updating the security state against new threats or vulnerabilities) on a regular basis.
- Mobile devices: Encrypt sensitive data stored on servers or on mobile devices, such as laptops or smartphones.
- Incident handling: Proactively establish a process to contain and fix data incidents, including procedures for users, security personnel, and managers that define appropriate roles and actions.
- Audit and compliance monitoring: Periodically conduct independent assessments of data protection capabilities and procedures.
- Training: Ensure that all users understand their vital role in keeping data secure and what actions to take if they suspect that an account has been compromised.
Secure data governance checklist
Read a more detailed checklist regarding establishing and maintaining a successful data governance program:
You can identify areas where you may need to develop more robust security protocols.
Examine existing data security practices
Many states are working to update their security policies to respond to evolving cybersecurity threats, and federal frameworks are constantly being updated. In California, several state and national frameworks were merged to address the specific concerns of each agency and differing requirements based on the nature of the data being provided. To ensure that data providers could get their questions answered, a national expert from the U.S. Department of Education’s Privacy Technical Assistance Center, as well as an expert in the state’s privacy requirements, met repeatedly with planning committee members to ensure they were familiar with federal and state policies and standards about breaches and breach notifications. The planning partners compared the resulting requirements to their internal practices to address concerns about the risk of data breaches. In addition, they determined that a committee made up of Chief Information Security Officers would meet periodically to update these policies. Finally, they recommended that external evaluators ensure that the entity hosting the data and any of its subcontractors are complying with the standards.