Company policies on protecting personal data

Application security
Digital certificates
Disaster Recovery
Identity & Access Management
Instant Messaging
Microsoft Exchange
Risk management
Secure Coding
Security Program Management
Security tokens
Single sign-on
I'd like to know what policies other companies have in place to protect personal data of employees, customers, etc.(data such as Social Security numbers, credit card numbers and the like) For example, is encryption required for transfer outside the company? How about inside the company? It is required in transmission? Is it required in storage? Both? How about inside the company? How about within a database? How about backup tapes sent off-site? Do you require stronger access controls for those who use this type of data in their everyday job? We're considering stronger policies/standards in this area and I'd like some benchmark information about what other companies are doing. I'm from a large manufacturing company, so any feedback from someone in a similar area would be even more valuable. Thank you in advance.

Answer Wiki

Thanks. We'll let you know when a new response is added.

2 options really…

1….everything in house behind firewall non-encrypted while any laptop or remote connections via vpn to be encrypted…

2….encrypt everything

the one thing that holds people back from total encryption is the time it takes to decrypt info in order to view/manipulate.

the easiest method to employ is to set rules in email client to encrypt all messages…..also to protect file sharing on mobile units…..encrypt vpn connections….routinely change passwords….

Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Whitecap
    I agree with the previous respondent. However, your starting point should be access control. Only those people that need to see the sensitive information should have access to it. Company policy should then define how the sensitive information is to be handled. In all cases where such information is transmitted over an untrusted network it should be encrypted. If sensitive information is physically sent outside of your security perimeter, eg on laptops, PDAs or backup tapes then encryption should also be implemented.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: