Security Program: Policies, Training, and Other Steps to Protecting Sensitive Data

Date February 22, 2023
Article Authors
Justin Krentz

Cybersecurity Essentials: Part 2

All organizations need to protect their systems and data from cyber attacks, which means that all organizations need to implement a cybersecurity program. This monthly blog, titled “Cybersecurity Essentials,” details the elements of a comprehensive program to ensure you are accounting for privacy concerns, compliance issues, and the policies and procedures critical to maintaining a secure organization and a culture of cybersecurity.

In Part 1 of our series, we addressed privacy concerns as they extend to employee records, client or customer records and communications, and the use of mobile devices. Here we shift our focus to a discussion of a security program, which includes training, policies, and other steps required to protect your organization’s sensitive data.

Security awareness training of employees and contractors

Staff and contractors who have regular access to your critical systems should be provided security training that is tailored to your organization and sensitive information. Online security training should be geared toward providing a basic understanding of cyber threats or physical threats of individuals seeking to gain access to information they shouldn’t have access to. The program should also cover how you will respond if access is compromised, and provide individuals with access to your systems an understanding of your threat landscape, what to do to mitigate your exposure, and what do to if sensitive data is exposed.

Phishing awareness training

The majority of data breaches start with an attacker sending an email that deceives someone in an organization into providing sensitive information or installing malware. Using a service that randomly tests users on their ability to identify phishing emails will reveal the individuals in your organization who are more prone to opening emails without doing what is necessary to validate they are not malicious. Phishing awareness training is critical to keeping bad actors from gaining access to your networks.

Clean desk policy

A “clean” desk is a user’s workstation that secures sensitive information by preventing access by an unauthorized individual. By securing sensitive information or removing sensitive information the user can prevent access by something as simple as moving a mouse. A clean desk policy seeks to ensure data confidentiality and that users are following the organization’s data protection guidelines.

Visitor program

A visitor program includes a set of physical safeguards. A clearly defined visitor policy, such as requiring a badge or escort to enter your offices, can keep assets from getting into the wrong hands. The program will vary in content and requirements from organization to organization but always seeks to ensure visitors adhere to whatever those guidelines are. The process should be shared with and understood by all employees.

Identifying digital assets

The organization should conduct an annual risk assessment that includes a complete inventory of digital assets and a vulnerability report. It should reveal risk blind spots, and identify where and how digital assets are deployed—and should be deployed. Risk assessments must be done on a recurring basis as assets regularly move around organizations and need to be tracked just as regularly.

Multi-factor authentication

Multi-factor authentication is a preventive measure that requires a combination of prompts from a user to access the information they are authorized to access. A second form of authentication serves, in particular, to protect against compromised, including stolen, passwords.

If you have questions or concerns, our Vertilocity team can evaluate your cybersecurity strategy and discuss your options with you. Call us at 412-220-5744, or email me at jkrentz@vertilocity.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields