Under the law – both the Data Privacy Act and the Cybercrime Law – there are clear regulations what to do when incidents happen. Additionally, the National Privacy Commission requires organizations to submit ‘Incident Reports’ annually.
Therefore, it is essential that you make sure your employees know how to spot potential security breaches and how they should respond. Let me describe the signs that might point to a security incident and offer guidelines on the steps to be taken:
Confidential information must be kept secure to protect the business and its staff. System or network breaches and data loss can result in severe consequences for organizations. There are numerous real-life examples of publicized intrusions that produced damaging results, and they have proven that technological safeguards and a strong employee commitment to policy are essential tools in preventing and responding to information security incidents. Train your employees. Remember, building a human firewall is one of the most effective defenses against compliance breaches.
With this perspective in mind, the proper channel and process for reporting security incidents that might compromise data integrity is of utmost importance for all employees in order to maintain business operations.
The following examples are possible signs that an information security incident may be in progress or may have already occurred. Some of these may be legitimate occurrences that are a normal part of daily operations—but others may be a sign of a deeper threat. Employees should operate from the standpoint of whether these examples (or others not listed) are expected or unexpected:
•Strange application behavior, such as programs that mysteriously close or from which data is missing
•Excessive system crashes
•Abnormally slow or poor system performance
•Reports that they have sent out spam or unwanted emails
•Inappropriate pop-up ads
•Locked accounts or reports that they have attempted to logon unsuccessfully, especially when they have been away from their system
•Remote requests for information about systems and/or users (e.g., individuals claiming via phone or email to be help desk staff and asking for passwords).
Compliance officers and Data privacy officers must adopt an evaluative approach and ensure that the objectives set out by the compliance program are achieved, and, whenever flaws or failures are detected, they are proactively addressed. Regulatory authorities (like the National Privacy Commission) will evaluate whether companies regularly review and improve their compliance programs. Take note that ‘adequate procedures’ can only be a defense if they were in place before a breach happens.
Likewise, amongst the guiding questions regulators include is how to evaluate the effectiveness of compliance programs and address continuous evaluation and improvement. This may take several forms, including, but not limited to, internal and external audits, testing of relevant controls and collection and analysis of relevant data, as well as evolving updates, which mainly concern updating risk assessments and the review of internal controls. Remediation and follow-up should guide you in improving your compliance program.
If you need assistance, there are audit teams available (including ethical hackers) that can guide you through your compliance programs with the aim to avoid costly data breaches. It should be understood that companies that follow clear compliance programs and processes have a competitive edge!
Comments are welcome – contact me at Schumacher@eitsc.com