rnd_border

Information Security Guidelines

Here are some basic steps you can take to help maintain the security and integrity of protected consumer information:
  • Only those employees and contractors who require access to consumer information should be given access.
  • Rooms and file cabinets that contain sensitive information should be locked or otherwise secured.
  • Documents that contain sensitive information should not be left where they can be easily compromised, such as in meeting rooms or in other open areas. Managers and other employees should be alert for documents that are left in inappropriate places.
  • Computers that contain or have the ability to access sensitive information should be password-protected and either turned off when not in use or should have a password-protected screen-saver enabled; and
  • Requests for information about customers from outside parties should be referred to an appropriate contact person within the organization.
    • You can also take several relatively simple steps to protect information from misappropriation or deletion:
  • Inform applicants and new hires that your organization emphasizes customer privacy and that you have a Safeguard Program in place.
  • Conduct background checks on applicants, particularly on applicants for positions that will have access to sensitive information.
  • Encrypt protected customer information whenever it is transmitted electronically.
  • Immediately change or delete the logins and passwords of employees or contractors no longer associated with the organization.

    • Network & Information System Integrity

    You must also assess and minimize the risks of customer information compromise with respect to information technology systems, including, but not limited to, paper files, your computers and servers, internet access, and back-up files. Obviously, each organization handles customer information differently. Therefore, in this area of the Safeguard Program, you should critically review how your organization collects, accesses, processes, stores, distributes, backs-up, transmits, and destroys the protected information, and customize your Program accordingly.

    At a minimum each organization should take the following steps:

    1. Store records in a secure area:

  • Hard copies, such as paper documents, should be stored in controlled-access areas, such as locked rooms and locked file cabinets;
  • Electronic data should be stored on secure servers that also have limited access. Unless absolutely necessary, private customer information should not be stored on servers that also provide internet access or can be accessed remotely
  • Access to sensitive information should be monitored and recorded, e.g., a record should be kept of who views electronic data when, and hard copies should have to be "signed out" of a central repository; and
  • Back-ups should be made regularly and stored in a separate facility, preferably in a completely separate physical location.

    • 2. Provide for secure data transmission when collecting or transmitting customer or other protected information:

  • Secure connections, passwords, and encryption should be used whenever data is transmitted electronically.
  • Customers submitting information to the organization should be reminded to take all necessary precautions. Secure transmissions from the customer to the organization should be automatic if possible; and
  • If it is necessary to fax or mail information, appropriate precautions should also be taken, such as providing secure or private fax machines, use of private couriers, and the regular use of confirmations.

    • 3. Dispose of customer information in a secure manner:

  • Hire, designate, or outsource a records retention manager/specialist to supervise the disposal of information.
  • Shred or recycle sensitive documents.
  • Completely erase all data when disposing of computers, diskettes, tapes, and hard drives that might contain sensitive information.
  • When necessary, properly and effectively destroy all computer hardware used to store or access customer information; and
  • Regularly and properly purge customer files of outdated customer information.

    • 4. Use adequate oversight and audit procedures to detect the misappropriation or loss of protected information. Each customer list or file should contain a code or identifier so that contacts, access, or changes can be monitored and controlled.

    5. Maintain a close physical inventory of all computer hardware.


     
    rnd_border