How to create an information security policy for your business

The protection of information of companies is the theme of the moment, due to the arrival of the new general regulation of protection of data. Companies are increasingly digital and without the prevention of data loss, their security is seriously compromised. Corporate security policy is an essential tool to ensure your data remains safe. In today’s article, we leave you important tips for creating an information security policy in your company.

What is a security policy?

The security policy is a document developed by the company that records the principles of security that the company adopts and that must be followed by the employees. The security policy should be applied to all information systems, both desktop and mobile. For policy to be respected, it is essential that top managers participate in the implementation.

How to create a good information security policy?

  • Define employee accountability: establish fines for misuse of company IT resources. There should also be rules on access to websites and recommendations on the use of the provided electronic devices.
  • Training: there should be practical training in the presentation of information security policy. The company must collect individual statements from its employees, committing themselves to comply with the rules contained in the document. This manual should be easily accessible to employees and should be reviewed frequently so that it is kept up-to-date.
  • Name a person in charge: the company must appoint a responsible person to monitor compliance with the information security policy. This employee should be responsible for detecting breaches and violations of the rules.
  • Make the security policy known: the document must be approved by the company’s human resources department. The rules in this document must be in accordance with the labor laws and the internal manual of the employees. After approval by the human resources, top managers should also do their approval.
  • Adopt a disaster recovery plan: disaster recovery plans are essential for planning actions that ensure that a disaster does not interfere with the company’s performance. In addition to this proactive action, disaster recovery plans also have a reactive action, through the action of carrying out emergency actions, previously planned and that guarantee the immediate resolution of problems. Disaster recovery is still defined as the set of procedures to be performed in crisis situations. The ultimate goal is to leapfrog your company data so your information stays safe and sound.

 

“Better safe than sorry” is an absolute truth when it comes to your company’s information security. Get to know IT PEERS security solutions and protect your data!

New Data Protection Regulation: Everything you need to know

For the European Commission, the protection of personal data is a key element of the Digital Single Market. All this scenario has boosted the creation of the new General Regulation on Data Protection (GDPR) for the European Union, which repeals the current legislation on personal data protection, published in 1995, when Internet access was not yet widespread. The new Data Protection Regulation enters into force in May 2018 and there is still a lack of knowledge regarding its performance and implications. In this article, we will cover all the aspects you must know to receive the new data protection regulation in accordance with the law!

The most significant and impacting changes in this new regulation are:

Right to forget

Citizens will be able to require companies to delete their personal data. The new regulation allows the personal data of each citizen to be destroyed at his request.

Data portability

Citizens can require companies to send their personal data in a format that allows them to be sent to another company, facilitating their migration and making it easier to switch to a TV service provider, for example.

Right of opposition to profiling

Companies’ computer systems should be able to register who indicated a refusal to automate their data, as is usually done in processes of behavioral analysis and creation of consumption profiles.

Records and proof of consent

Regarding the online relationship with customers, company systems should expose privacy policies in clear and objective language. Consent for the processing of data by users should be kept in a form to be presented if necessary.

Privacy by ‘default’ and design

You should ensure the protection of data from the design of computer applications, minimizing the processing of personal data, masking of data, encryption, among other topics.

Obligation to notify

Companies and organizations have the responsibility to notify the National Supervisory Authority of data breaches about situations which put individuals at risk and to communicate to the citizen concerned all high-risk breaches as quickly as possible.

How do I know if the new law applies to my business?

The new data protection law applies to any organization doing business in the European Union regardless of whether personal data processing occurs in the European Union or not, and regardless of whether it is personal data about EU residents or only visitors.

What happens if I don’t comply with the new data protection regulation?

The punitive regime of the new law is very demanding and includes fines that in the case of violations of lesser gravity could reach 10 million euros or 2% of global business volume globally. In the most serious cases fines may reach 20 million euros or 4% of total turnover.

You can learn more about the new data protection regulation by downloading this e-book that explores the new law and tells you everything you need to know!