Well? While maybe not as polarizing as the Oxford comma or single/double spacing after a period, it is worth considering.
If this all seems random, you have been paying attention. (Thank you!) And I have a confession to make.
It looks like I got ahead of myself.
I told you last month that we would now start reviewing technical controls and security settings. But before we can get down to the 1s and 0s, there is something else we need to do first.
Just as you would not design a fire evacuation plan without knowing what the building looks like and where the offices and people are, we need to first know what data we have and where data might be found.
Ok – easy! I have email, user files, office computers, and our client management platform. Done!
Not so fast. What about mobile phones? USB drives/CDs? File cabinets? Backups? Other vendors such as mass email/newsletter platforms or website form submissions? Cookie data? And don’t forget all the other pieces of equipment around the office such as copiers/printers/scanners.
This question has become even more complicated in this time of COVID-19 with many people working at least partially from home or other remote locations. Are your clients’ data being saved (intentionally or not) to non-work devices? Also consider data in hard-copy form (notes, printouts, mail, etc.) that may be at home, in a car, at the office, etc.
Finally, it is important to remember you also have data on your employees and sometimes their family members – in payroll systems, benefits systems, pandemic-related health screening forms, etc. Different protection standards may apply to some of the categories of information as well (think: HIPAA, ERISA, etc.).
This process may take some time. Make a list, think about it, sleep on it. You may be surprised at other locations that hold data worth protecting. And don’t forget to talk with your co-workers and vendors – the more you know, the easier the process will be going forward.
So now that we know where data lives in our physical and electronic systems, we can start reviewing some technical controls and security settings in your office (whether remote or in your traditional location)!
PS – My personal preference on “data” – it depends! I prefer the concept of “data” being plural and every time I say “data is” I hear a little voice scream “DATA ARE!” but I see the argument for it being singular in many general contexts. As to the others…Oxford commas are great, periods should be followed by two spaces, and hippopotamus x2 = hippopotami (unless you want one for Christmas). Sorry, not sorry!
About the Author
Patrick is the Vice President of Enterprise and Operational Risk Management at Lawyers Mutual as well as filling the roles of Corporate Secretary and Director of Information Security. He is an NCSB board certified specialist in Privacy & Information Security Law and has been designated a Fellow of Information Privacy and a Privacy Law Specialist by the IAPP. He is always happy to talk about his collection of tinfoil hats or to discuss risk management advice and resources that you may find helpful - you may reach him at 800.662.8843 or email@example.com.