As accountability for data security continues to climb the ladder, how is a CEO to know how deep to get into the details?
To start, we decided to use a “lowest common denominator” set of industry standards, PCI-DSS (Payment Card Industry Data Security Standards). The group overseeing these standards, the Payment Card Industry Security Standards Council has a very difficult task. They are charged with setting standards that apply to all merchants (think Subway franchise all the way to Amazon and Walmart). They have done this with some overarching principles guiding tiered requirements based on each vendor’s degree of vulnerability. We will use these principles to suggest a most basic understanding that a CEO should have.
Who owns data security?
Before any standards are reviewed, someone needs to own the details. So we start with accountability. The CEO should know which direct report owns data security. While this sounds simple, many smaller organizations have information systems report through the finance function. And then the finance function includes accounting and information systems. Which of these groups owns data security? We have seen many businesses where the IT team takes direction from finance, but finance assumes the IT team is using their own judgment on data security. (This judgment is often skewed by “what does it take to get the job done?” more so than “what are the risks to our business?”) Bottom line: assign someone authority and put it in their job description. This person will quickly ensure that a policy is agreed to and widely shared. It may take a committee, but nobody should shoulder the answer to the question “how much risk are we willing to accept?” alone. With this guidance, they can then take steps to meet the security level / risk tolerance
PCI Security Standards
Here are the principles from the PCI Security Standards Council and some basic steps every CEO should take.
PCI principle: Build and Maintain a Secure Network and Systems
What does your network look like? Have you seen a one-page picture showing how your office connects to the world? It should include your telecom providers, any other locations you have and any data feeds from partners (EDI?), suppliers or cloud software services. This simple picture will ensure the CEO knows “how complicated is this?” and “who are we trusting with our data?”
PCI principle: Protect Cardholder (read “your important”) Data
What data is important to you? Is it clear the difference between public information and confidential information? Critical information needed to keep operations going vs. ancillary information readily available from other sources? The CEO should know and make sure their team knows the difference. It should be in writing and made available to all employees in their orientation and training. The IT team can then act on this and protect the data according to its sensitivity.
PCI principle: Maintain a Vulnerability Management Program
CEOs should know how their own data is protected. What anti-virus protects your laptop? How secure is your mobile device? Does your IT team know if you use devices at home for work and how they are protected against anti-virus? Do you have a way to send encrypted emails. Because CEOs typically have unique needs (more travel, more devices). They should not assume they are covered by standard company policies. Talk with your IT folks and find out if your unique needs have correspondingly unique security features.
PCI principle: Implement Strong Access Control Measures
Not too long ago many CEOs had password requirements that were less stringent than company policy. Some business owners would claim they were too busy to put a passcode on their phone. You should be a leader in setting the tone and should also know that your data may be especially sensitive. Embrace the challenge and find an effective password system that works for you.
PCI principle: Regularly Monitor and Test Networks
What threats are there to your company’s information? Who is keeping track and how are they doing so? You should know what the industry standards are for your business and have a corresponding level of attention to this area. Someone should be tasked with a formal, periodic evaluation of the security architecture. At a minimum this means maintaining anti-virus and operating system updates. For more confidential data, this means having technical network reviews performed. (These are often called vulnerability assessments or penetration tests. The costs for these services have fallen rapidly as their popularity has increased in recent years.)
PCI principle: Maintain an Information Security Policy
Whether it is one page or one hundred, the company should have something in writing saying what is confidential or private. Employees need guidance on what might be acceptable to share (“We just landed a large new client!”) and what is not (“It would be fun for my niece to share our new engineering designs with her graduate studies class.”)
Source for PCI-DSS: Payment Card Industry Security Standards Council https://www.pcisecuritystandards.org/
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Barnes Dennig helps organizations across multiple industries in the Greater Cincinnati and Northern Kentucky regions with their information systems risk management. This includes Service Organization Controls, IT audits, PCI-DSS, HIPAA and OCC third-party vendor management. Contact Robert Ramsay via email, or by calling (513) 241-8313.