Build Security

How are you protecting customer data?

1. Who has access to your data?

Grant sensitive data access only to the people who need it to perform their jobs. Update this list regularly to account for people changing roles. This is especially true for engineers with administrative access to your infrastructure, as well as former vendors and consultants.

Example: Shared Documents

Team collaboration tools often have default settings that allow everyone in your organization to access all content. The risk? Sensitive data such as member lists, email addresses, or resumes may be easily available to more people than you think.

2. Where is your data handled?

Data is often handled and stored in multiple formats and countries, and by multiple parties.

Make sure you understand how your data will be handled, including any profile-building, sharing or selling. Common outsourced services include: recruitment, payroll, benefits, emails, surveys, donations and customer support. And these services may use other companies to host your data.

Example: HR Data

Employees who work in HR may handle sensitive personal data in several locations including paper, local desktop computers, shared online drives and third party platforms.

3. What security measures do you have in place?

Appropriate security will depend on the type of data you have, where it’s located and what your resources are. It also includes managing the vendors and consultants who provide your outsourced services.

Example: Security Measures

  • Physical measures such as ID cards, locks, document shredding.
  • Administrative measures such as access controls, passwords, and multi-factor authentication.
  • Technical measures such as penetration testing, encryption, intrusion protection, and vulnerability reporting.

4. What will you do if there is a problem?

Data can be compromised in many ways. It is often an unexpected and resource-intensive effort to understand the facts and make decisions in a timely manner.

Depending on the problem and risk it creates, you may also need to notify the people impacted or their governments.

Example: Incident Response Plan

A basic incident response plan should identify how incidents are reported and escalated for appropriate review. This includes incidents identified by employees, customers, and vendors.

Resources