Article Authors
Cybersecurity Essentials: Part 1
All organizations need to protect their systems and data from cyber attacks, which means that all organizations need to implement a cybersecurity program. This five-part series titled Cybersecurity Essentials will address each element of a program to ensure you are accounting for privacy concerns, compliance issues, and the policies and procedures critical to maintaining a secure organization and a culture of cybersecurity.
The first item on your cybersecurity checklist is to create and document a privacy program that will include developing an internal privacy policy, training employees on that policy, and creating an internal policy for data retention.
Internal policy
Your internal privacy policy is an employee-centric policy that addresses leadership’s expectations around the use of email and internet, systems and access. Privacy concerns extend to employee records, client or customer records and communications, and the use of mobile devices.
Your privacy policy is written language, a document that can be shared with employees and new hires that clearly outlines your expectations related to privacy and the policies and guidelines you have developed to ensure your expectations are met.
Employee training
Once you have developed your policies and documented that they have been attested to by your employees, it is essential to conduct employee training on a regular basis, at least annually, to ensure employees not only are kept up to date, but that they understand your internal privacy policy and their ongoing obligations.
A training program will include:
Data retention policy
Data is the most important aspect or component of your privacy policy. You should develop a “retention policy” that details how long you retain different types of data. Your policy might be driven by industry regulations, for example, HIPPA regulations requiring healthcare providers to retain certain patient data for a specific period of time. Your policy will be driven by compliance requirements, but also by when data can and should be expunged. It should include protocols on how data should archived as well as how long it will be kept, and on how it should be expunged.
Delete data when you can to:
If you have questions or concerns, our Vertilocity team can evaluate your cybersecurity strategy and discuss your options with you. Call us at 412-220-5744, or email me at jkrentz@vertilocity.com.
"*" indicates required fields