Home > IT Answers > Security > Company policies on protecting personal data
Copleydt
0 pts.
 Company policies on protecting personal data
Application security, Biometrics, Compliance, CRM, Database, Digital certificates, Disaster Recovery, Encryption, Exchange, Identity & Access Management, Instant Messaging, Laws, Policies, provisioning, Regulations, Risk management, Secure Coding, Security, Security Program Management, Security tokens, Single sign-on, standards
I'd like to know what policies other companies have in place to protect personal data of employees, customers, etc.(data such as Social Security numbers, credit card numbers and the like) For example, is encryption required for transfer outside the company? How about inside the company? It is required in transmission? Is it required in storage? Both? How about inside the company? How about within a database? How about backup tapes sent off-site? Do you require stronger access controls for those who use this type of data in their everyday job? We're considering stronger policies/standards in this area and I'd like some benchmark information about what other companies are doing. I'm from a large manufacturing company, so any feedback from someone in a similar area would be even more valuable. Thank you in advance.

Software/Hardware used:
ASKED: November 6, 2005  11:04 PM
UPDATED: November 7, 2005  7:48 AM
RELATED QUESTIONS
Answer Wiki:
2 options really... 1....everything in house behind firewall non-encrypted while any laptop or remote connections via vpn to be encrypted... 2....encrypt everything the one thing that holds people back from total encryption is the time it takes to decrypt info in order to view/manipulate. the easiest method to employ is to set rules in email client to encrypt all messages.....also to protect file sharing on mobile units.....encrypt vpn connections....routinely change passwords....
Last Wiki Answer Submitted:  November 6, 2005  11:50 pm  by  Mgregory   0 pts.
All Answer Wiki Contributors:  Mgregory   0 pts.
To see all answers submitted to the Answer Wiki: View Answer History.


RSS - Discussions Help
Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

 

I agree with the previous respondent. However, your starting point should be access control. Only those people that need to see the sensitive information should have access to it. Company policy should then define how the sensitive information is to be handled. In all cases where such information is transmitted over an untrusted network it should be encrypted. If sensitive information is physically sent outside of your security perimeter, eg on laptops, PDAs or backup tapes then encryption should also be implemented.

Whitecap
 0 pts.