In a previous article, we discussed how to start protecting sensitive data. We defined sensitive data (hint: it's any private and confidential information that you must safeguard from all unauthorized users.)
We also implemented practical steps toward protecting sensitive data, like:
• Take inventory to know where sensitive data resides in your organization by creating a data flow diagram and interviewing stakeholders
• Creating a data classification method to use, share, and protect data properly
• Establishing policies for sensitive data use in your organization
• Training users on sensitive data handling and policies
In this article, we'll continue the topic of protecting sensitive data by following the next few logical steps, namely safeguarding what you have with encryption and backups and defining your data retention timelines, including when and how to destroy data.
Let's get to it.
NIST (the National Institute of Standards and Technology) gives us an excellent working definition of encryption:
Encryption is the cryptographic transformation of data (called "plaintext") into a form (called "ciphertext") that conceals the data's original meaning to prevent it from being known or used.
Encryption provides several essential security measures for your business, especially if you handle sensitive data. Here are just a few:
• Protects data from unauthorized users
• Keeps data private
• Meets customer data protection requirements and service level agreements
• Allows secure transport of data through untrusted networks like the Internet
• Meets compliance requirements such as HIPAA and PCI DSS
Even if encrypted sensitive data is accessed or stolen by unauthorized users, it's protected as long as they don't have the decryption keys.
How does Streamworks use encryption to protect your sensitive data? We did an encryption deep-dive in a previous blog post here.
To recap, Streamworks employs encryption in three main ways:
1. Transport encryption
2. File encryption
We use encryption at the transport level through our secure file transfer (SFTP) system, SSL/TLS web connections, and encrypted email.
Lastly, Streamworks encrypts data at rest in our hosted environment.
Per our documented security policies (including a dedicated encryption policy), we classify all client data as confidential. So rest assured, your data-at-rest is encrypted while in our care.
These days, having backups of your critical data is a no-brainer.
Compared to the old days, storage is relatively cheap, and the risk of losing data to crimes like ransomware is serious. Like any comprehensive action plan, your backup strategy should have multiple layers.
First, start with a separate and approved backup policy as part of your complete collection of information security policies.
Once your policy is in place, use proven backup software and schedule all data backups to occur automatically.
Make sure backups are encrypted and reside in multiple locations. As a best practice, have copies at geographically separated sites many miles apart.
Lastly, test your backup data by running restore tests regularly.
At Streamworks, we have a multi-layered backup strategy for protecting your sensitive data to meet your business requirements. For example, our information security policy manual has a dedicated backup policy.
Next, we kickoff automated full weekly and daily backups that are maintained onsite at our HQ and securely replicated to our offsite disaster recovery facility.
We test the integrity and completeness of our backups through periodic restore testing and throughout the course of normal business operations.
And, of course, we encrypt all backup data.
Data retention is the strategy of retaining data for a specified time to meet regulatory, business, and technical requirements.
This strategy refers to the systematic and intentional procedures you use to store, access, and destroy data. As with the other steps, you'll want to define your data retention requirements in an approved information security policy and procedure.
To fulfill our data retention requirements (and yours), Streamworks has procedures in place to 1) protect your confidential information from deletion during the required retention period and 2) identify your confidential information requiring destruction when the end of the retention period arrives.
With these in place, you can rest assured that we'll have your data safeguarded to complete your work, and we'll securely delete it when we finish the job.
The Streamworks data destruction process commences when defined data retention requirements have elapsed.
In other words, when the time comes to securely delete your data (based on predetermined contractual, regulatory, or technical requirements), we do it. At the same time, however, we have data destruction procedures that protect your data from destruction until the required time frame arrives.
Our standard is to destroy your sensitive data after 90 days securely, but we'll work with you to adjust data retention policies to meet your company's specific needs.
In addition to logical data destruction, we securely shred all physical materials containing sensitive data and use a NAID certified vendor who shreds on site.
As you can see, protecting sensitive data is a multi-layered process, and Streamworks has policies and procedures at each level to meet your data protection requirements.
If you don't have data protection requirements, don't worry. We'll secure and protect your data by default because we classify all client data as confidential.
Wondering if your marketing meets today's demanding data security standards? Sign up for a FREE 1-hour assessment with one of our secure mail experts to see how Streamworks is the right partner for you.
3640 Pheasant Ridge Drive NE • Blaine, Minnesota 55449