FTC Releases 10 Data Security Guidelines
The Federal Trade Commission (FTC) has released a list of data security guidelines gleaned from the agency’s 50+ data security settlements, Start with Security: A Guide for Business. Their main goal is to protect consumers privacy and data, and so their guidelines reflect as such:
1. Start with security.
That means, factoring security into every dept. of your business, including personnel, sales, accounting, IT, etc.
Start with scope - reduce your risk of losing data by securely disposing of personal information your company doesn’t need. There’s no need to store data after a sale is complete.
Hold onto info only as long as a legitimate business need requires you to, and don’t use personal info when unnecessary.
2. Control access to data sensibly.
Restrict access to sensitive data to only employees that need to use the data to do their jobs. Consider separating user accounts to limit access to personal data, or control who can use particular databases.
Administrative access should be limited to employees tasked with the job. Not everyone needs super-administrative rights to make system-wide changes to your system - examine job roles and restrict their permissions accordingly.
3. Require secure passwords and authentication.
According to the FTC, that includes insisting on complex and unique passwords that aren’t the same or similar to passwords on other accounts. They also recommend storing passwords securely - and not in plaintext in email accounts or on their computers. The guidelines fall short of saying so, but encrypting passwords is best practice.
To protect against password compromises, the FTC also recommends that businesses consider using two-factor authentication, which can stop an attacker from accessing a company network with only a password. Mobile-based two factor requires a physical device to log in, such as a smartphone.
Brute-force attacks can also crack your password using automated programs - by suspending or disabling user credentials after a certain number of unsuccessful login attempts, you can guard against a potential breach. Testing for web application security flaws can also protect against an authentication bypass.
4. Store sensitive personal information securely and protect it during transmission.
The FTC recommends encrypting confidential data during storage and transmission, and using industry-tested and approved methods. Some possibilities include TLS/SSL (Transport Layer Security/Secure Sockets Layer) encryption, data-at-rest encryption or an iterative cryptographic hash.
Map your encryption strategy to secure data at all stages, during transmission between all servers and locations. And, ensure proper configuration of encryption, which, if done improperly, can make apps vulnerable to attacks.
5. Segment your network and monitor who’s trying to get in and out.
Protect sensitive data by housing it separately on your network, and don’t allow other computers to communicate with it. The FTC also recommends using firewalls, intrusion detection and prevention tools to monitor activity on your network.
6. Secure remote access to your network.
Ensure endpoint security for any computers with remote access to company networks, and limit third-party access.
In one case cited by the FTC, attackers stole remote login credentials to access consumer data. While they encourage the use of firewalls and updated antivirus, two-factor authentication can also effectively stop remote attackers, as it also requires the use of a physical device to log in.
Some two-factor solutions also allow you to generate temporary bypass codes for vendors that expire after one use or a set time.
7. Apply sound security practices when developing new products.
Start by training engineers in secure coding practices, and follow platform guidelines for security. Verifying your third-party software’s privacy or security features is also key to ensuring they work.
Testing for common, well-known vulnerabilities is also often overlooked - the FTC recommends testing for vulns identified by the OWASP (Open Web Application Security Project).
8. Make sure your service providers implement reasonable security measures.
By insisting that security standards are part of your third-party vendor contracts, you can ensure reasonable security precautions like encryption are part of the deal before you sign.
Verifying their compliance with security policies and standards can also help protect your company and consumer data.
9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
Updating and patching third-party software can reduce the risk of a compromise by ensuring protection against known vulnerabilities. Establishing a process for quickly addressing security vulnerabilities can also prevent an attack - consider an effective process for clearly publicizing security alerts to your security staff.
10. Secure paper, physical media, and devices.
When it comes to paper and physical data, they should be physically secured behind lock and key, and disposed of properly by shredding documents or wiping devices. Protecting point-of-sale (POS) devices is also recommended, to prevent tampering and potential data-skimming attacks.
Establishing and teaching employees about security practices while data is en route can stop physical data theft - unencrypted data left inside an employee’s car, for example, can leave a company prone to a breach.