The FTC Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operation, including three critical areas of information security: Information Systems, Employee Management & Training, and Detecting and Managing System Failures.
This blog post covers Employee Management & Training. For other areas, please see our Information Systems and Detecting and Managing System Failures blog posts.
Employee Management & Training
- Check references or background checks before hiring employees with access to customer information.
- 💁♂️ Use background check provider like Checkr
- Ask every new employee to sign an agreement to follow your company's confidentiality and security standards for handling customer information.
- 💁♂️ Use templates like those from SANS Institute and get employees to sign
- Limit access to customer information to employees who have a business reason to see it. For example, give employees who respond to customer inquiries access to customer files, but only to the extent, they need it to do their jobs.
- Control access to sensitive information by requiring employees to use “strong” passwords that must be changed regularly. (Tough-to-crack passwords require the use of at least sixteen characters, upper- and lower-case letters, and a combination of letters, numbers, and symbols.).
- Use password-activated screen savers to lock employee computers after a period of inactivity.
- Develop policies for appropriate use and protection of laptops, PDAs, cell phones, or other mobile devices.
- 💁♂️ Have employees store devices in a secure place when not in use. Also, consider that customer information in encrypted files will be better protected in case of theft of such a device.
- Train employees to take basic steps to maintain customer information security, confidentiality, and integrity.
- Regularly remind all employees of your company’s policy — and the legal requirement — to keep customer information secure and confidential.
- 💁♂️ Consider posting reminders about their responsibility for security in areas where customer information is stored, like file rooms and internal tools.
- Develop policies for employees who telecommute. For example, consider whether or how employees should be allowed to keep or access customer data at home. Also, require employees who use personal computers to store or access customer data to use protections against viruses, spyware, and other unauthorized intrusions.
- 💁♂️ Remove administrative rights and use Windows Defender to start. As the number of employees grows, consider using EDR solutions like Sophos and review reports daily.
- Impose disciplinary measures for security policy violations.
- Prevent terminated employees from accessing customer information by immediately deactivating their passwords and user names and taking other appropriate measures. Deactivate access prior to termination.
- 💁♂️ Use Single Sign On solution like Okta and disable employee access to all services like laptop (AD), gmail, office 365 upon termination
- Add labels to documents to signify importance, such as “Sensitive” or “For Official Business” to further secure paper documents.