How Data Cleansing Protects Sensitive Information
.jpg?sfvrsn=79187c5a_0)
In 2015, I hosted a webinar on securing data in the payroll department, covering the best practices for protecting and disposing of sensitive data. Attendees participated in a roundtable discussion and freely admitted they made multiple backups and copies for “just in case.” When asked if they kept a log of the copies and the data storage location, there was a long silence.
Complying with federal and state document retention laws is important, but many keep sensitive information far longer than required. They fear disposing of information in the event of an audit or a request from management, but time passes quickly, and before you know it you have accumulated 10 years of data in a storage unit or on a server that has been forgotten. Without proper controls, there is a risk that cybercriminals will obtain access and steal sensitive information to sell or hold hostage.
Annual Data Cleansing
Security experts recommend keeping a detailed inventory of all sensitive data stored and to perform “data cleansing” annually on all servers and individual systems.
Data cleansing or scrubbing involves reviewing policies, locating, cleansing, and protecting stored data. The process includes removing, generalizing, or encrypting the data to prevent it from being compromised in the event of unauthorized access.
Below are the lessons learned from our organization’s recent completion of a similar exercise:
Begin With Company Data Storage Policy
The process begins with reviewing the company’s policy, which covers the company’s storage, access, and destruction protocols. The policy requires employees to complete a security course annually. The training focuses on safe data handling, third-party data exchange, and keeping only necessary data.
Send Out Survey
A survey is sent to all team members who have access to and handle sensitive data. The survey dives into the who, what, where, when, and why of handling and storing sensitive data, as well as how the data is stored. The survey also looks for behaviors that are not part of the adopted standard operating procedures, like performing excessive backups in multiple locations as a safety net.
Sweep Systems to Locate Data
The security team “sweeps” all the systems to find where data is being stored and sends a report to each team member for review. The security team uses a program they developed using a list of variables to identify data files, including deleted ghost files. Data stored outside the organization’s policies is flagged for an in-depth review.
Generalize Your Data
Data saved for analysis or training is processed using software that replaces sensitive information with anonymized data. This process ensures the data cannot be traced back to the specific source, rendering it of no value to anyone outside the organization.
Proper Data Storage
All databases containing personally identifiable information are stored on a secure server with restricted access controls. Individual users are authenticated, and data is encrypted. Extensive logs record all access to the files, and access outside of business norms is immediately reported to the security team. If a team member is working outside of normal business hours, they are required to notify management. Penetration tests are performed by an independent third party to ensure that the safety measures in place perform as expected. All backup of data is stored in a secure external vault.
Careful Data Destruction
The destruction of no longer needed data is handled with extreme care. Regardless of the storage method, the company policy is to use certified third-party vendors for the destruction process and obtain a certificate of destruction upon completion. The vendor provides a special shredder for in-house document destruction. It is vital to use a reputable vendor for data destruction. There is an expense in using a third party, but the vendor’s data destruction equipment is far superior to a standard micro-shredder.
A Culture of Data Security
The objective of data cleansing should not be to punish or point a finger at those who made mistakes but to learn from the annual review and improve behaviors to ensure data is not compromised.
Companies must build a strong data security culture to successfully protect sensitive data. It is hard to protect data if you don’t know what you have or if it is not maintained and safeguarded properly. It is not a one-and-done process. Data security requires monitoring, maintenance, and annual reviews to ensure the policies that are in place work. Technology constantly evolves in data security, but we cannot let our guard down because cyber criminals are keeping pace with new technology that can help them find vulnerabilities and gain access to your organization’s data.
Stephanie Salavejus, CPP, is Chief Operating Officer for PenSoft, a PayrollOrg Director, and the 2017 Payroll Woman of the Year. She is also a member of PayrollOrg's Board of Contributing Writers, Emerging Technologies Subcommittee of the Strategic Payroll Leadership Task Force (SPLTF), Government Relations Task Force (GRTF), and National Speakers Bureau.
