You can’t be PCI compliant for a few months and then fall back into old habits. You also can’t have only a few PCI compliant sections in your business. What you need is consistency in your data security.
Depending on the size and environment of your company, security consistency can be a real challenge. You may have to navigate multiple departments and teams. Throw in the lack of overall procedure, and properly implementing security becomes almost impossible.
Here are 6 ways to establish security consistency in your company.
1. Create and implement security policies and procedures
Having a policy for each security measure is a great way to streamline the process. Create procedures for every aspect of security. Remember that each business has unique needs for security, so have policies set in place to address these unique needs.
Here are a few examples of security policies and procedures your business may need:
- Firewall policy
- Software updates policy
- Limited access policy
- Physical security policy
- Incident response policy
- Employee training policy
- Business continuity policy
You’ll also need to devote time to implement these policies. Even the greatest security policy is worthless if it isn’t implemented properly. If you have a policy written out, but no one is using it, your business isn’t any more secure than before you created the policy. I recommend you incorporate these policies into your employee’s training.
2. Document everythingNot only do you need policies and procedures; you need to have them documented. Policies should be written down and easily accessible for employees. Your employees can then refer to the policies should they have a question about security.
Documentation may also help protect your business from potential liability in the event of a breach. Having thorough and accurate security policies and procedures written down will help auditors see what measures your company is taking in security.
Some documents you’ll definitely want include:
- Employee manuals
- Policies and procedures
- Third party vendor agreements
- Logging and network monitoring
3. Put someone in charge of PCI complianceIt’s not enough to just leave security to the IT team, especially if you’re a medium/large business. Having someone in charge of PCI compliance and security will help. They can then address all problems related to compliance.
I advise you to take a top-down approach to security. Having a person in charge of security PCI compliance will streamline the process of implementing security policies, and make it easier to navigate the different departments’ needs in security.
Need an expert’s opinion on PCI Compliance? Talk with one of our consultants.
4. Establish good communication between departmentsThe problem many companies find in security is each department is unaware of what other departments are doing. You need to establish policies and good communication between departments and teams.
The more teams talk to each other, the more they’ll be in sync on security. Getting employees used to working with other departments will help them to implement security better. Here are some ways to increase communication between departments:
- Have departments hold weekly meetings
- Hold Q&As for departments to address needs
- Hold interdepartmental meetings
- Do communication exercises to encourage cooperation
5. Train staff frequently on securityYour best policies mean nothing if your staff isn’t trained properly. All it takes is one careless staff member for data to be stolen. They need to be trained in data security policy and implementation.
SEE ALSO: Employee Training in Data Security: What You Should Do
It’s no longer enough to hold annual training meetings. You should be training staff quarterly, if not monthly. Constant security training will help employees to implement policies and follow security practices.
Some things to include in your training program:
- Passwords and two-factor authentication
- Proper disposal of data and equipment
- Social engineering
- Log-in monitoring
- Policy updates
- Security updates
- Remote access security
- Recognizing phishing emails
- BYOD security
6. Follow data security best practicesThink of maintaining security like taking care of your body. While you do go to the doctor for illness and injury, it’s up to you to keep your body healthy through eating right, sleeping well, and getting exercise.
You need to keep your security up to date and running smoothly to avoid data breaches, and you can do that by following some data security best practices, such as:
- Limit administrative access: Make sure your employees only have access to the data they need and nothing more. This helps eliminate potential data theft risks.
- Whitelist applications: Monitor which applications are being downloaded and used. This keeps potentially harmful applications from being downloaded.
- Patch software: Software and operating systems will often have vulnerabilities that can be exploited. Constantly scanning for and patching vulnerabilities will keep your data secure.
- Secure remote access: Unsecured remote access is one of the biggest threats to data because many companies don’t properly secure it. Keeping your remote access secure by installing firewalls and limiting access will prevent hackers from stealing data through the application.
While taking these steps may take more time and money, making security consistent in your company will help you to protect your data more efficiently.
You can’t afford to do security halfway. Having one streamlined vision for security the whole company understands is the best way to protect your data efficiently and effectively.
Not sure what security your company needs? Get a PCI compliance audit!
Mike Reisen is a Security Analyst and has been with SecurityMetrics for over 2 years, doing PCI DSS assessments. He is a graduate from the University of Utah, and has worked in the IT industry for over 15 years.