See .pdf file named “FTC2015-StartWithSecurity.pdf”. The below applies not solely to digital information (data) but also to paper documents.
- Make reasonable choices based on the nature of the business and the sensitivity of the information involved;
- Keep only what you need for your business;
- Protect what you keep;
- Properly dispose of what you no longer need;
- Create a plan to respond to security incidents.
FTC “Start With Security” Document
- Don’t collect personal/sensitive information you don’t need;
- Hold on to information only as long as you have a legitimate business need;
- Don’t use personal information when it’s not necessary.
Control Access to Data Sensibly
- Restrict access to sensitive data;
- Limit administrative access.
Require Secure Passwords and Authentication
- Insist on complex and unique passwords;
- Minimum of 12 characters in length;
- No use of dictionary words;
- Require at least one upper case letter, one number, one symbol;
- Do not use birthdays, zip codes, special dates, phone numbers, social security numbers, etc…;
- Store passwords securely (encrypt them at rest);
- The use of 2FA or MFA increases the likelihood that the account will remain secure;
- Guard Against brute force attacks;
- Implement a policy to suspend or disable accounts after repeated login attempts;
- Protect against authentication bypass;
- Test for common vulnerabilities;
Store Sensitive Personal Information Securely and Protect It During Transmission
- Keep sensitive information secure through it’s life-cycle;
- Encrypt data at rest and during transmission at all times;
- Use industry-tested and accepted methods;
- Ensure proper configuration (SSL, Certificate Validation, etc…).
Segment Your Network and Monitor Who’s Trying To Get In and Out
- Use Firewalls to protect segments of your network from other segments;
- Use Intrusion Detection Systems and Intrusion Prevention Systems;
- Monitor Logs.
Secure Remote Access to Your Network
- Ensure endpoint security;
- Ensure clients have anti-virus, firewalls and secure access points;
- Put sensible access limits in place;
- Restrict third-party access;
- Restrict by IP Address;
- Restrict by granting temporary, limited access;
Apply Sound Security Practices When Developing New Products
- Train your engineers in securing their code;
- Follow platform guidelines;
- Verify that privacy and security features work;
- Test for common vulnerabilities.
Make Sure Service Providers Implement Reasonable Security Measures
- Keep a watchful eye on service providers;
- Put it in writing. Make service providers agree to use the highest security standards;
- Verify compliance. Ask questions and follow up during the development process.
Put Procedures in Place to Keep Your Security Current and Address Vulnerabilities that May Arise
- Security is an ongoing process;
- Apply updates as they are issued. Have a reasonable process in place to patch and update your third-party software;
- Provide a platform for customers to disclose vulnerabilities to you;
- Heed credible security warnings and move quickly to fix them.
Secure Paper, Physical Media, and Devices
- Securely store sensitive files;
- Protect devices that process personal information;
- Keep safety standards in place when data is en route;
- Dispose of sensitive data securely.