What is “Sensitive Information”?
This second part part of a multi-part series on creating an information management plan for business clients.
Basically, any information that your client would not want posted on the bulletin board is potentially sensitive information. Many clients will say that they to not have that much sensitive data on their systems. This may be true, but there are some questions we have to ask them.
– Do you process any “keyed” credit card transactions or take any credit card information over the telephone? If so, is the credit card information ever written on a piece of paper? What happens to that paper after the transaction is processed? (The PCD DSS requires that the paper be shredded immediately in a crosscut shredder) What controls (written policies, supervision, etc,) are in place to ensure that this happens?
– Is any credit card information kept on file, either on paper or in an electronic form? The PCI DSS requires that access to such records be controlled. The PCI DSS also clearly states that the 3-digit security code on the back of the card MUST NOT be recorded or stored – it should not be written down in a paper file or stored electronically, even in an encrypted form.
– Do you process payroll or keep any employee files (practically every employer does maintain employee information, even if they contract payroll to a third-party)?
– Do you maintain customer or client lists that you do not share with all everyone in the business and/or the public?
– Do you maintain financial records for clients or business partners?
– Do you maintain client or patient records that you are required by law to protect (examples would be PIPDEDA in Canada, HIPAA for health information in the US, GLBA for financial records in the US – every country has laws requiring protection for certain types of records. You need to research laws in your country)?
– Do you maintain records about ongoing projects, bids, company process, or other information that you have developed, “company secrets”, ways that you do things, etc. that you would not want to be made public?
– Do you have internal or external correspondences or documents (emails, internal memos, etc.) that you would not want to share with everyone in your organization?
Most businesses clients will answer “yes” to one or more of these questions. If there are no controls in place to protect sensitive data, it should be assumed that ANYONE who wants to could access that data. All businesses have SOME controls in place – our job is the determine what controls ARE in place and what controls SHOULD be in place, based on the answers to the questions above.
Next: Data Classification
Dennis H in West Virginia, US
November 26, 2009