Compliance and Data Protection for 2019

January 17, 2019


By Trevor Bidle
VP | Information Security and Compliance Officer at US Signal

The last year has seen an increase in data breach and hacking activities, along with the proliferation of ransomware attacks. That’s why one of the key priorities for companies in 2019 is to have a data protection plan in place. 

A strong data protection program can minimize the impact of cyber-attacks on business operations, protect customer data, and help spare companies from legal liabilities, public embarrassment, and missed customer expectations.

Defining Data Protection

Data protection covers the confidentiality, integrity, and availability of data stored or processed by a business. 

Confidentiality

Implementing controls for confidentiality helps ensures that data remains private. To maintain privacy, appropriate security safeguards are deployed to allow only those with authorized access to view or edit data. Common methods for providing data protection for confidentiality include:

  • Implementation of firewalls
  • Use of unique user ids with strong passwords
  • Utilization of two factor authentication for access
  • Anti-virus deployment
  • A strong vulnerability management program
  • A patching program
     

Integrity

Data protection for integrity ensures the accuracy and consistency of data through its lifecycle within a company’s systems, and helps prevent the corruption or deletion of data. Strategies for maintaining data integrity include ensuring audit trails are maintained and data backups are regularly executed. 

Availability

Most compliance and regulatory standards have provided additional guidance for data protection for availability, particularly because of the threats that ransomware poses. Tactics include:

  • Backup
  • Replication of servers and systems
  • Off-site backup
  • Hot or cold off-site recovery servers
  • Business continuity and disaster recovery plans
     

Understanding Compliance Obligations

In recent years, greater emphasis has been placed on data protection strategies for companies operating in regulated spaces. Companies must understand the data protection requirements they’re required to meet in order to comply with various standards or regulations such as:

  • PCI-DSS
  • HIPAA/HITECH
  • GDPR
  • Financial Regulations (FFIEC, OCC, FINRA, NAIC, FDIC, NCUA)
  • Consumer Financial Protection Bureau
  • Gramm-Leach-Bliley Act (GLBA)
  • California Consumer Privacy Act
  • 23 DFS NYCRR 500
  • SSAE 18 SOC 2
     

Assess Vulnerabilities

  • Data Inventory and Classification
    To meet compliance obligations and build a comprehensive data protection plan involves first understanding what must be protected. Inventory and classify your company’s data. This helps you understand what data your company has, the sensitivity level of the data, and where sensitive data is stored. It’s also important to assign recovery time objectives for the data. This facilitates the prioritization of data protection activities and allocation of resources.
  • Data Retention and Backup
    Backups are required by almost every compliance standard and are a security best practice. Along with a data retention schedule, backups from prior to a failure or infection can help ensure that data can be restored. Equally important is having your IT team test the backup process to make sure it works properly. New technologies integrated into some backup platforms allow for automated testing so IT teams don’t have to conduct manual restores. 
  • Data Replication
    If you have data that’s highly critical and must always be available, data replication should be part of your data protection strategy. This can be done between servers at the same site or to an alternate site. The primary and replication servers can operate as a hot-hot pair or a hot-cold pair depending on the amount of time your business can wait for the replication server to come online. Replication servers should be off site to provide protection from site-level disasters or events to help ensure data availability. It’s important to note that replication is not the same as a backup. However, backup and replication can complement one another. 
  • Disaster Recovery
    Having a DR strategy with assets identified and predefined plans to restore or recover from a catastrophic failure is required in regulated industries. DR plans should be documented and tested, and employees should understand their roles. This is one of the more difficult areas for companies to dedicate resources to from both a human and physical resources perspective. The use of managed services can help. By having a third party handle the documentation of assets and provide a predefined playbook and technologies to restore services when needed, IT staff is freed up to work on other endeavors.
     

Developing a Data Protection Strategy

In summary, a well-developed data protection strategy should address the confidentiality, integrity, and availability of data. Incorporating best practices for security and data protection can also meet many compliance requirements. 

Data protection starts with understanding your data assets and where they are housed. Ensuring timely patching and vulnerability scanning is important, as is developing a tiered recovery plan to protect the data. Layering backup services, replication, and disaster recovery as a service (DRaaS) can help meet the data protection requirements outlined in standards such as PCI-DSS or HIPAA. If your company doesn’t have expertise in the data protection space, a trusted partner can augment your IT services or provide guidance to help you meet your compliance obligations.

For more information about data protection and compliance for 2019, contact US Signal. Call 866.2. SIGNAL or email us at: info@ussignal.com.