by Harry Stephens, Datamatx
Several months ago, the National Institute of Standards and Technology (NIST) issued its “Framework for Improving Critical Infrastructure Cybersecurity.”
The Framework outlines best practices for enterprises of all types that work with and house client data.
Because NIST’s recommendations are high-level and general in nature, they apply to every industry.
In reality, computer hackers probably are not your company’s only risk.
Vulnerabilities that exist within your own operations frequently lead to accidental privacy violations-which can be just as damaging.
These include people taking work home with them via laptops, portable USB devices, etc., that also might house customer data or proprietary information about your systems and operations.
The Framework provides a detailed method for reviewing your organization’s security measures and establishing a proactive system.
It prioritizes the relevant issues and considerations and classifies them into what it calls “tiers.” The Framework names as the five core elements of data security:
- ▪ Identify the risks. In the broadest sense, this means understanding the context of your business, the resources involved in your operations, and the related risks to your information technology functions. This component provides an overview of your particular situation: asset management, business environment, governance, risk assessment and risk management strategy.
- ▪ Protect the data. This covers the means of controlling access to systems and data, employee awareness and training, data security, information protection processes and procedures, maintenance and protective technology. An example would be limiting access to only the staff members who need to see customer data-or only designated segments of it-and can be achieved at least partly through password systems that are rigorously tracked and updated as an employee’s status changes.
- ▪ Detect any breaches. To avoid surprises, develop documented monitoring systems specific to where and how your data is stored and used and explore methods to alert yourself if the information has been accessed without authorization. NIST suggests tracking and recording any anomalies.
- ▪ Respond to any breaches. Develop ways to contain the impacts of any security breach, including putting a plan in place ahead of time to cover communications within your organization and with clients, a careful and meticulous analysis of what happened and how, and using this information to improve future security.
- ▪ Recover. These are the steps taken after your immediate response, such as recovering any lost data, and also taking what you can from an incident for further, better planning, ongoing communications with those affected by the breach and improving existing security procedures.
As NIST advises, it’s best to be proactive with a plan in place and in operation all the time and procedures that you can implement instantly if a data breach has been detected.
Although the NIST Framework is a recommendation and not a regulation, all enterprises that hold or transmit sensitive customer data are held to local, federal and international regulatory mandates relative to information security.
For improved efficiencies, many companies that handle high volumes of customer data have outsourced their electronic document processing, billing and distribution solutions to a third-party provider.
It is important, then, to ensure your outside partners are certified in operational excellence and security.
Know Who is Handling Your Data
Any billing solutions provider must possess the industry standards in certification that are mandatory to security compliance.
For example, the top three certifications relevant to processing financial data are:
- ▪ SSAE 16, (Statement on Standards for Attestation Engagements No. 16) Certification. SSAE 16 is an accreditation awarded by the American Institute of Certified Public Accountants (AICPA) and ensures that all outsourced documents are handled in a secure, reliable and stable environment with tight process controls in place.
- ▪ PCI DSS 2.0 (Payment Card Industry Data Security Standard) Compliant. The PCI DSS is a globally instituted security standard for all merchants and service providers who accept credit card information. It is designed to keep customer payment card data secure and prevent payment cardholder data fraud.
- ▪ Sarbanes-Oxley (SOX). Any organization fully trained in SOX regulations ensures that its clients are compliant with all corporate accounting controls required by U.S. federal law.
And Check the Locks
Not all security precautions are enshrined in legislation or can be officially certified.
At a minimum, high-volume billers should make sure that they and the service provider they choose have stringent internal security measures to protect customer data.
Check whether production areas are locked and monitored at all times.
Ensure FTP servers are protected by a well-rated hardware firewall to eliminate unwanted intrusions.
In addition, all electronic payment options need to be encrypted and performed over a secure SSL Internet connection.
Last, it is imperative that the service provider you choose to handle your sensitive information has a comprehensive disaster recovery program to safeguard against fire and other natural and environmental hazards.
Security is an Ongoing Process
Protecting and ensuring security compliance and due diligence is never-ending; however, it seems there is no fence high enough to ensure 100 percent security.
The best a company can do is oversee 24/7 monitoring of all data, networks and internal processes and employ the best tools and practices available to ensure all security bases are covered and that a program is well-executed and monitored by an independent third-party auditor who knows what to look for and can make useful suggestions for improvement.
Harry Stephens is president, CEO and founder of Datamatx, one of the nation’s largest, privately held full-service providers of printed and electronic billing solutions. Reach him at [email protected].