10 questions to ask before creating a data security policy for your company.

Home / Commercial Insurance / 10 questions to ask before creating a data security policy for your company.

Big or small, data breaches can cost your business time, money and customers… and they can be incredibly difficult to recover from. However, an effective data security policy can protect your business and keep it running smoothly and securely.

Any data security policy needs to consider two types of data: internal (employee and company information) and external (customer data). So, to create your policy, you must answer these critical questions:

  1. What regulations govern our industry? If you handle sensitive information from customers, there are often regulations concerning minimum security levels (for instance, healthcare businesses must adhere to HIPAA). Government work has another standard for security. Make sure you are clear on these regulations, and that your business is meeting them.

  2. Who needs access to our organization’s data? How will data be safeguarded so only authorized individuals can use it? To be effective, data protection must be a combined effort of people, processes and technology. Firewalls can help keep “bad guys” from getting access to your data, but usually won’t stop data from getting out. For small businesses, human effort is critical. Make sure employees are aware of their data classification system and standards, and establish routine checks and audits to verify that your processes are protecting key data.

    Once you have your people and processes working, if your business does not have an IT department of its own, a consultant can help you ensure that you have the technology end covered.

  3. How will internal employee information be safeguarded? Access to confidential information like employees’ salaries, Social Security numbers, performance evaluations, etc. should be limited to those who need the information to perform their jobs. For other information, establish tiers of access: low (public access), medium (internal only) and high (confidential).

  4. What are our password rules and standards? Set complexity standards for employee passwords, both for permanent and temporary workers. Multi-factor authentication can add even greater security.

  5. How will internet usage be governed? While you may be tempted to limit internet usage to enhance security, too many limitations can hamper employee productivity. The right balance will depend, in part, on how much sensitive data your company deals with.

  6. How will email usage be managed? Hackers can steal sensitive company information shared in emails. Set precise standards for message content, encryption and file retention.

  7. What are our guidelines for social media? Educate employees on data privacy best practices and create standards for how your employees represent the company on social media.

  8. How will we manage company-owned mobile devices and computers? Company-owned devices that leave the office, like phones, laptops and tablets, must be password-protected, and screens should be locked to prevent data theft. Policies to protect devices from theft must be put in place as well.

  9. Who will manage the security policy? While data security is everyone’s responsibility, one employee or team should own the task of administering the policy. In the event of a security incident like a virus or data breach, all employees should know who to inform. And whoever manages the policy should establish how often it gets updated, and make these updates promptly.

  10. What is our procedure in the event of a data breach? In today’s business landscape, the question is not if a data breach will happen, but when. That’s why it’s so important to have procedures in place for dealing with the problem. With an established process, the problem can be remedied as quickly as possible.

This is not an exhaustive list of the questions your data security policy must answer, as many will depend on your industry and the size of your business. Once you finish your security policy, however, remember: Your policy is useless if your employees don’t read it and sign off on it. And make sure every new employee does so as well.

Need help? Frankenmuth Insurance offers a Cyber and Information Protection Plus package that includes your own data-breach coach and team of experts. Ask an agent if it could be right for you.