Why is Data Security & Privacy Important?
It is considered best practice, and often required, for organizations to develop, document, and implement an information security policy. An information security policy acts as an agreement with employees with respect to data security and privacy best practices. This set of policies is often seen in the form of a binding employee handbook, or contract, and should be updated on an annual basis, disseminated to all employees, and require acknowledgement by all employees of its contents and their responsibilities for securing information and technologies at your organization.
These policies should not only be approved by the highest level of management, but should be acknowledged and known by all. According to Benjamin Wright, some examples of data security and privacy best practices that should be included in your information security policy are as follows:
- Acceptable use of employer owned devices/technologies – All employees should recognize and understand that they are not entitled to any privacy with respect to any communication or data exchanged through any equipment owned by the employer. This includes things like laptop computers, desktop computers, email servers, etc.
- BYOD polices – With the number of technological devices that are used by individuals today, there are a lot of organizations that allow employees to bring their own devices, and sometimes use their personal devices to access the organization’s network. There should be clearly defined policies that outline the dos and don’ts of bringing your own device in order to thwart any associated risks.
- Acceptable Use policies – Acceptable use policies are a set of rules applied by the employer that restrict ways in which a network or system may be used, and how it should be used. This prevents employees from abusing things such as internet access during working hours or discriminatory communications.
Data Security & Best Practices for Your Employees
An employer is wise to have some kind of appropriate contract or agreement with employees with respect to data security and privacy kinds of issues. This policy might be in the form of a binding employee handbook, it could be in a contract that’s signed by the employee, it could be in other kinds of policies that employees are told are binding within the workplace. From the point of view of data security and privacy, a good employee handbook often will notify employees that the employee is not entitled to any privacy and should not expect privacy with respect to any communication or data that the employee exchanges through equipment that is owned by the employer. Thus, it notifies the employee that he/she is using a desktop computer that is owned by the employer, then the employer has the right to monitor the emails, other kinds of communications, and documents that are sent through or stored on that desktop computer.
A related kind of idea is “bring your own device,” where the employee might have his/her own smartphone or tablet that he/she uses for work purposes. From the point of view of the employer, the employer wants to ensure that there are appropriate procedures and rules for the employer to be able to gain access to this device and the services connected to this device, if the employee is actually using this for business. There could be a document stored on a tablet could be a spreadsheet, for example, that’s actually owned by the employer. The employer wants to make sure that they can get access to that spreadsheet if the employee ceases to cooperate or no longer works for the employer.
A related topic is acceptable use. An employee handbook will often, wisely, ensure that there is a clear set of binding guidelines that say, “When you are using company equipment, or when you’re using your own device, within the workplace or for purposes of work, you will perform only in an acceptable way.” Examples of unacceptable use would be discriminatory types of communications, pornography, pictures or communications that would make other employees within the organization feel uncomfortable. The organization wants to be clear that this is not allowed in the workplace, because it could be evidence of a hostile work environment.