fbpx

FTC June 2015 Guidance on Data Security

FTC Guidance on Data Security

See .pdf file named “FTC2015-StartWithSecurity.pdf”. The below applies not solely to digital information (data) but also to paper documents.

  • Make reasonable choices based on the nature of the business and the sensitivity of the information involved;
  • Keep only what you need for your business;
  • Protect what you keep;
  • Properly dispose of what you no longer need;
  • Create a plan to respond to security incidents.

FTC “Start With Security” Document

  • Don’t collect personal/sensitive information you don’t need;
  • Hold on to information only as long as you have a legitimate business need;
  • Don’t use personal information when it’s not necessary.

Control Access to Data Sensibly

  • Restrict access to sensitive data;
  • Limit administrative access.

Require Secure Passwords and Authentication

  • Insist on complex and unique passwords;
  • Minimum of 12 characters in length;
  • Unique;
  • No use of dictionary words;
  • Require at least one upper case letter, one number, one symbol;
  • Do not use birthdays, zip codes, special dates, phone numbers, social security numbers, etc…;
  • Store passwords securely (encrypt them at rest);
  • The use of 2FA or MFA increases the likelihood that the account will remain secure;
  • Guard Against brute force attacks;
  • Implement a policy to suspend or disable accounts after repeated login attempts;
  • Protect against authentication bypass;
  • Test for common vulnerabilities;

Store Sensitive Personal Information Securely and Protect It During Transmission

  • Keep sensitive information secure through it’s life-cycle;
  • Encrypt data at rest and during transmission at all times;
  • Use industry-tested and accepted methods;
  • Ensure proper configuration (SSL, Certificate Validation, etc…).

Segment Your Network and Monitor Who’s Trying To Get In and Out

  • Use Firewalls to protect segments of your network from other segments;
  • Use Intrusion Detection Systems and Intrusion Prevention Systems;
  • Monitor Logs.

Secure Remote Access to Your Network

  • Ensure endpoint security;
  • Ensure clients have anti-virus, firewalls and secure access points;
  • Put sensible access limits in place;
  • Restrict third-party access;
  • Restrict by IP Address;
  • Restrict by granting temporary, limited access;

Apply Sound Security Practices When Developing New Products

  • Train your engineers in securing their code;
  • Follow platform guidelines;
  • Verify that privacy and security features work;
  • Test for common vulnerabilities.

Make Sure Service Providers Implement Reasonable Security Measures

  • Keep a watchful eye on service providers;
  • Put it in writing. Make service providers agree to use the highest security standards;
  • Verify compliance. Ask questions and follow up during the development process.

Put Procedures in Place to Keep Your Security Current and Address Vulnerabilities that May Arise

  • Security is an ongoing process;
  • Apply updates as they are issued. Have a reasonable process in place to patch and update your third-party software;
  • Provide a platform for customers to disclose vulnerabilities to you;
  • Heed credible security warnings and move quickly to fix them.

Secure Paper, Physical Media, and Devices

  • Securely store sensitive files;
  • Protect devices that process personal information;
  • Keep safety standards in place when data is en route;
  • Dispose of sensitive data securely.

Hits: 40

Related Articles

Secure Data Wiping & Destruction

Data wiping is an important part of business operations and any information security program. For those that have a Written Information Security Program (WISP) it likely includes the procedures and processes for data wiping and scrubbing of files, directories, and physical storage devices.

Responses

Your email address will not be published. Required fields are marked *

  • Sign Up
Lost your password? Please enter your username or email address. You will receive a link to create a new password via email.