I attended a session on “Data Protection” with a view to doing what is right for our Japan (Tokyo and Nagoya) Real Estate, Relocationa and Leasing Company. I would like to share what I learned.
1. While the security provided on by “systems” is important, staff awareness and training on data protections is often overlooked.
1. While the security provided on by “systems” is important, staff awareness and training on data protections is often overlooked.
ie. It is good to have passwords, timeout functions, firewalls, spam protection and keys for cabinets, but if we are not aware of what data protection is required, and security training is not provided, then any systems we have don’t have much meaning.
2. The main steps in understanding data protection properly are;
2. The main steps in understanding data protection properly are;
Creating Values, Educating, Discussing, Training and Re-Training.
3. Independent items of data provide little risk. For example, a list of names has no particular risk if leaked alone. However, if the list of names also gives corresponding address information, phone numbers, email addresses, birth dates etc., then it quickly becomes a high risk in terms of data security. It is therefore the combination of data that is important. You need to correctly protect your combinations of data.
4. Within our offices, it is a good idea to consider the kinds of combinations of data that exist.
eg. Names, addresses, birth dates, mobile phone numbers, bank account details, work permits / visas, passport copies, registration card documents, medical histories, what else?
5. It is also best to consider where else we have the data mentioned in 4 above. Do we have it in our cars? Do we have it at home?
6. There are two types of data to consider;
a. Data At Rest: Data that is sitting in one stationary place
b. Data In Motion: Data that is moving from place to place
7. Data protection is all about reducing opportunistic events. One often implemented policy is a "Clean Desk Policy", as messy desks with a lot of diffirent information on them can create the "opportunity" for information to get into the wrong hands.
8. Even for small companies it is recommended to build a "Security Policy", to train employees on it, and then regularly re-train them.
3. Independent items of data provide little risk. For example, a list of names has no particular risk if leaked alone. However, if the list of names also gives corresponding address information, phone numbers, email addresses, birth dates etc., then it quickly becomes a high risk in terms of data security. It is therefore the combination of data that is important. You need to correctly protect your combinations of data.
4. Within our offices, it is a good idea to consider the kinds of combinations of data that exist.
eg. Names, addresses, birth dates, mobile phone numbers, bank account details, work permits / visas, passport copies, registration card documents, medical histories, what else?
5. It is also best to consider where else we have the data mentioned in 4 above. Do we have it in our cars? Do we have it at home?
6. There are two types of data to consider;
a. Data At Rest: Data that is sitting in one stationary place
b. Data In Motion: Data that is moving from place to place
7. Data protection is all about reducing opportunistic events. One often implemented policy is a "Clean Desk Policy", as messy desks with a lot of diffirent information on them can create the "opportunity" for information to get into the wrong hands.
8. Even for small companies it is recommended to build a "Security Policy", to train employees on it, and then regularly re-train them.
No comments:
Post a Comment