This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
“It’s really a matter of looking at what risks exist in your organization in terms of handling, transporting, and shredding records, and finding out how you can minimize the likelihood that security incidents will happen.”


—Peter Guffin, Pierce Atwood LLP


personnel problem that an appropriate information securi- ty program would identify and rectify, Guffin said. “A pro- gram would figure out the root cause of that and try to change the process or work flow in the organization to prevent these things from happening again.”


One solution to the lost-box problem might be implement-


ing and training employees on checklists, he said. “It’s real- ly a matter of looking at what risks exist in your organization in terms of handling, transporting, and shredding records, and finding out how you can minimize the likelihood that security incidents will happen.”


There are also the more insidious risks posed by hackers, who use malware or social-engineering techniques, such as im- personating employees, to access computer systems. Guffin stressed that RIM companies may be particularly vulnerable to hacker attacks because they handle private information from such a broad range of industries, including healthcare, manu- facturing, financial, and legal services, and it may be easier for


hackers to get records by targeting the storage company rather than the owner.


Building a Program The first step to building an information security program is to understand how personal information, including payment in- formation, comes into the organization, how it leaves the orga- nization, and how it is stored and used, Glover said.


Second, companies must take a multidisciplinary approach


to information security programs by including personnel from a wide swath of company departments—from IT and Human Resources to the C-suite. However, one person within an or- ganization should be given overall responsibility for manag- ing and overseeing the information security program. In larg- er companies, this role is increasingly played by a chief in- formation security officer or equivalent who reports to top leadership.


For more information on developing an information securi-


ty program, contact Peter Guffin at pguffin@pierceatwood.com and Kyle Glover at kglover@pierceatwood.com. n


Bibliography 1. Identity Theft Resource Center. (2014). 2014 Data Breaches. Available at www.idtheftcenter.org/ITRC-Surveys- Studies/2014databreaches.html.


2. Ponemon Institute. (2014). Ponemon Institute releases 2014 cost of data breach: Global analysis. Available at www. ponemon.org/blog/ponemon-institute-releases-2014-cost-of- data-breach-global-analysis.


3. Risk Based Security. (2014). First quarter 2014 exposes 176 million records—Troubling trend of larger, more severe data breaches continues. Available at www.riskbasedsecurity. com/2014/05/first-quarter-2014-exposes-176-million-records- troubling-trend-of-larger-more-severe-data-breaches-continues.


12


PRISM International


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28