Awareness is Key for CFOs
CFOs are well familiar with both the value of data and the potential liability associated with stored data. However, data privacy is a complex subject that reaches across an organization. It’s essential that CFOs and other business leaders fully understand data privacy and protection—and how to respond if data is compromised.
Complicating the issue of data privacy are the numerous pieces of legislation that have become common in the business world. Compliance legislation, such as HIPPA, GDPR, and CCPA, have strengthened the concept of privacy by requiring organizations to meet legal requirements or risk substantial fines.
Today’s compliance regulations, along with the need to protect data from theft or interception, has created an environment where CFOs must be very aware of how data is protected and who is responsible. Knowledge which can only be gained by asking the right questions.
Where is Data Kept?
CFOs should request a data map from data managers that reveals where data is kept. A data map provides important information that illustrates the risks and sensitivities of data collected by an organization. It should also indicate if data is subject to compliance requirements.
A data map should be as comprehensive as possible and include anything that could potentially be shared with a third party, such as customer shipping information, point of sale data, email, documents, and so on.
Who can Access the Data?
Companies should be aware of who can access data and use that information as a foundation for security. However, mapping access, entitlements, and security policy is not an easy task. Access policies should be defined to give only the minimum level of data access needed to perform a task.
For most organizations, users and systems are granted entitlements to data, and are often further delineated into groups, where access is granted. For example, there may be an Accounts Payable group, which only has access to Accounts Payable files. In a perfect world, granting access to data is a simple matter of assigning the user or device rights to the data. However, data breaches, hacks, improper access, and many other issues have complicated securing data.
CFOs need to understand what access policies are in place, how policies are enforced, and if there are regular access audits, which are designed to uncover problems.
What Types of Personal Data Must be Stored?
Personal data is often defined as any data that is considered private. Examples include phone numbers, addresses, credit card accounts, social security numbers, and so on. There are many compliance rules associated with personal and private data, making it important to understand what is stored and why.
For example, for order processing, a name and address may be required, as well as a phone number. However, if some of that data can be designated as optional, customers then have the choice of providing that data or not. The idea is to store the least amount of personal data needed to accomplish a task, while still providing a degree of privacy protection.
The goal should be to reduce risk in the event of a data breach. A breach where customer names and emails are revealed is less severe than one where credit cards, passwords, addresses, or phone numbers are revealed. Organizations must attempt to allow the least amount of risk for customers and employees.
How are Security Incidents Handled?
Incident management is a very important part of cybersecurity, especially when it comes to protecting privacy. CFOs should know is if there is an incident management workflow in place. Incident workflows define the steps that must be taken when a security incident occurs or a new threat is uncovered.
The most important elements of an incident workflow include how an incident is detected, what steps are taken to remediate the problem, and who must be notified. Incidents can range from a lost device (laptop, smartphone, etc.) or passwords to account issues.
What Methods are Used to Detect Security Breaches?
One of the most important elements of data privacy is the ability to monitor data and report issues. Many compliance laws require that breaches be reported quickly and, if not, the organization could face fines. Deploying a system or tools to monitor and report breaches is no longer optional, as it has become a requirement for many businesses.
What Processes are in place for Dealing with a Security Breach?
Just knowing about a breach is not enough, organizations must take action when a breach is detected. Having a plan to deal with a security breach is a critical element of cybersecurity best practices. That plan may include who must be notified, how a forensic investigation process is started, discovering the nature and impact of the breach, identifying what data was impacted by the breach, and informing those who may have been impacted.
Understanding how a breach occurred and what was impacted is critical to prevent other breaches from occurring. Any breach should trigger a review of policies, technologies, and entitlements in use. In this way, a breach can lead to improving cybersecurity and better protection of data privacy in the future.
Responsibility Spans Departments and Roles
Not so long ago, data protection was squarely in the realm of the IT department. However, data theft, breaches, and other malicious activities have increased, requiring that data protection and privacy become a job that spans departments and staff.
For the CFO, that means understanding what data privacy is and how that data is being secured. The same is true for other corporate leaders, as well.