What's the one thing every company's data security program must include? That's the question we put recently to experts in the field, knowing that,especially after Heartbleed, the diversity of responses would create an invaluable checklist for all risk managers and corporate leaders charged with the protection of company (and client) data. Here's what we heard back:
1. Ongoing Assessment of Priorities
Effective data security is not a one-size-fits-all concept, and it needs to be nimble so that it can quickly adapt based on your company’s needs, changing technologies, and emerging threats…
From Pat Fowler, partner at Snell & Wilmer: “An effective data security program must include, and arise from, a continuing assessment of the company’s data security needs. The federal government’s new cybersecurity framework would be a reasonable starting point for this assessment. Effective data security is not a one-size-fits-all concept, and it needs to be nimble so that it can quickly adapt to changing technologies and emerging threats. The company needs to establish its priorities for data security – the relative value of the various kinds of data that it collects, maintains or transmits, the risk and liability if such data is lost or breaches – and the assets/resources (financial, technological, human) that it can reasonably commit to meet those priorities. A company’s risk tolerance and various external factors (evolving threats, client/customer requirements, applicable regulatory schemes, industry standards, etc.) also must be included in this continuing assessment in order to have an effective data security program, both today and in the future.”
Comments