Creating a Data Security Plan
Organizations sometimes wonder about the relationship between privacy and security. In some settings, good security may be viewed as conflicting with good privacy, especially when surveillance measures are required. However, in the vast majority of scenarios, privacy and security work together. For example, good rules around data protection create a stronger security environment. Minimizing data also minimizes the “target profile” of a data base or network to hackers. Categorizing data properly helps organizations prioritize where to expend resources.
This checklist is designed to give a basic outline for formulating a Data Security Plan for your organization. While you can craft a far more detailed plan and may have needs not covered by this outline, we hope this represents a good start for strengthening privacy and security across your organization.
A plan should include the following elements:
1. Assessment—evaluating the personal information you possess in files, computers and other places where data is stored.
2. Data Minimization (link to Data Minimization checklist)—only collect and retain what your organization needs to perform services.
3. Data protection—evaluate the security measures that can be used, including physical security, electronic security and general network security.
4. Deletion—implement best practices with respect to the disposal of both physical and electronic assets.
5. Incident Plan—create an incident plan in the event of a data breach (see checklist on data breach plan) and other security events.