Find the Map, Locate the Treasure and Keep the Pirates Away: 10 Data Security and Privacy Best Practices

The best practices of data privacy are similar to playing the children’s game “Treasure Hunt.” Imagine yourself in an exotic tropical paradise, and your goal is to find and guard a cache of valuable buried treasure. Pirates from lands far and wide are swarming the area, and they want that treasure as badly as you. The rules require you to build your team carefully since you’ll need people to fill a variety of roles, such as navigator, interpreter and defender. The pirates are also collaborating, and they are increasingly crafty.

These top 10 data privacy best practices can help you find and guard your own “crown jewels.” Here’s how to play to win:

1. Learn the Language

Learn privacy terms and use simple technology language. Your board of directors are not experts in cryptography. This handy glossary of privacy terms from the International Association of Privacy Professionals (IAPP) will help you in your quest.

2. Know and Share the Rules

In the game of privacy, the rules are privacy fundamentals. This includes what qualifies as personally identifiable information (PII); how the organization defines PII; your group’s privacy policies and notices; and privacy program operations.

3. Be Prepared

Buying what you need at the last minute will be more expensive and make your goals more difficult to accomplish. John Wooden once posited, “If you don’t have time to do it the first time, when will you have time to do it over?” Often, privacy and security controls are considered as an afterthought, resulting in higher costs and implementation complexities. Consider adopting Privacy by Design (PbD) principles.

4. Have a Treasure Map

As Yogi Berra said, “If you don’t know where you are going, you may end up someplace else.” Learn about the how to secure your company’s “crown jewels” and leverage a critical data privacy program to help you get where you’re going faster.

5. Hide the Critical Parts With Invisible Ink

Not all of your employees or third-party contractors need to be given authorization to see sensitive data in your Web applications. The right security programs can provide dynamic masking on the screen to protect sensitive data elements without changes to your applications.

6. Protect Your Treasure

Take a risk management approach to identifying the security controls you need based on an asset’s risk level. Consider data activity monitoring to remain aware of the pirates’ whereabouts, keep them away from your treasure trove and be able to identify any other traitors attempting to also steal your booty. Data encryption can scramble your map and hide your treasure with policy-driven data-at-rest protection for databases, files, big data and rich content. Use identity governance, along with identity and access management controls, to ensure only those who are authorized have the credentials to access those applications and data.

May 13 webinar: The Good, the bad, and the ugly of Identity Governance

7. Ensure the Rulers are Informed

In privacy, it is critical to collaborate and seek advice from the privacy office, the legal and compliance teams and the line of business, IT and security groups. These decision-makers need to guide you on privacy policies, understand the implications of your recommendations and make sure the controls you suggest do not interfere with driving business value.

8. Keep Score

The most effective privacy-focused organizations assign accountability by subject area or business function and keep metrics to track program effectiveness. Some even require senior executive sign-off on privacy compliance.

9. Don’t Be a Creep

During the game, you don’t want a friend eavesdropping into strategic conversations or standing too close while you count your gold. The same applies to privacy: Just because you can collect personal information doesn’t mean you should. There’s plenty of recent news with examples of privacy ethics and the implications of actions that, while legal, often overstep the bounds of what is considered ethical. Being creepy could cost you not just friends, but also customers.

10. Send Out Data Privacy Scouts

Security intelligence can provide a powerful view of the big picture, tying together all aspects of your privacy infrastructure and identifying security risks in real time so you can detect and prevent breaches. You can also stay up-to-date on what the pirates are doing via the X-Force Threat Intelligence Quarterly.

Now that you’re armed with the game’s instructions, you can apply them to guarding your very own corporate treasure. Best of luck in your adventure!

May 21 webinar: Bridging the Gap between your Security Defenses and Critical Data

Cindy Compert

CTO Data Security and Privacy, IBM Security

Cindy is a technical visionary driven by wanting to make a difference around the world, advancing the health, safety, and well-being of others. She believes that Data Security and Privacy are key enablers to realizing the benefits of the digital and cognitive enterprise. Cindy has worked with hundreds of clients across multiple industries including Finance, Healthcare, and Public Sector. She is an active member of the International Association of Privacy Professionals (IAPP), a Certified Information Privacy Manager/Certified Information Privacy Technologist, and co-author of “Information Governance Principles and Practices for a Big Data Landscape”. Cindy invented the IBM Security GDPR Framework and is leading IBM Security’s GDPR solution strategy across the company. She is a highly-regarded speaker and has presented at RSA, IAPP and IBM InterConnect conferences. Cindy was also recently granted a patent on mobile caller risk. Cindy holds a BA/MBA from New York University and is a recognized Impressionist landscape painter who exhibits throughout Southern California.