10. You need a WISP.
A written information security policy, or WISP, is vital. Make sure there’s a person in charge of enforcing it.
9. Always encrypt data.
Sensitive data, especially personally identifiable information, must be encrypted at all times, from the server, to the cloud, to a laptop or USB drive.
8. Check your firewall
Simply having a firewall isn’t enough – it needs to be kept up-to-date, and you should consider unified threat management (UTM).
7. Update your security software.
You need to have up-to-date protection against malware, and the latest patches and virus definitions to guard against intrusion. Implement an update schedule.
6. Employees must be aware.
It’s not enough to have systems and policies; you must also educate staff and boost user awareness. Employees should be trained and sign off on security awareness at least annually.
5. Vendors must meet standards.
Make sure security expectations are clear in your contracts, and always perform due diligence.
4. Secure access control.
Make sure employees only have access to data that’s vital for them to perform their duties.
3. Review regularly.
View this as a continuous process, not a finite task. You must review your security procedures at least once a year to ensure they’re up to the task.
2. Compliance is cheaper.
If you’re resisting the allocation of proper security resources, you should be aware that the state will levy serious fines for compromising regulations.
1. Don’t get complacent.
Just because you have complied with the regulation doesn’t guarantee your data is safe. It’s a solid foundation for the information security program you should continue to build.