I’m going to be presenting later this week at the SANS Security East 2012 event. I consider this a huge honor and am very excited about it! In honor of that, this week on my blog, I want to provide a high level summary of the NAR’s “Data Security and Privacy Toolkit”. You can access the full document on Realtor.org, but note that requires a login.
If you’ve never set aside a few hours (at least) to review your organizational security, I strongly advise you do so and consider the further efforts needed to implement an organizational security program.
Based on the Federal Trade Commission model, the program boils down to five steps:
1. Take stock. Know what personal information you have in your files and on your computers. Understanding how each state defines “sensitive” and “personal” invitation is your starting point. It’s not just credit cards that are sensitive. People may be using the same username/email and password to log into your system as they do their bank. Of course social security numbers and birth dates are sensitive. If you’re a broker, you may have financial account numbers being sent to you by consumers on checks. And there’s more – so much more – described in the Toolkit’s information inventory checklist. How do you get this information? When most people think about “information security” they translate it to “I.T. security”, and that can be a problem. Look not just on your computers, website, and emails, but all of the “offline” ways you get this information. Think about how it’s transmitted to you, where you store it, and who has access to it along the way. Only once you understand what you have and how you receive and store it can you begin to think about protecting it appropriately.
2 Scale down. Keep only what you need for your business. That’s pretty self explanatory – only collect and keep what you need.
3 Lock it. Protect the information that you keep. The Tookit breaks this down into four areas: The first is Physical Security – locking up and limiting access to sensitive information. The second is Electronic Security – understanding where sensitive information is stored, encrypting that information in transit and storage, using anti-virus, using and protecting strong passwords, warning employees about social engineering, protecting laptops and other mobile devices, and implementing a firewall, including an intrusion detection system and monitoring practices. Finally, as I’ve discussed in other articles (for example, “Contracting for Security in Your Mobile App“) use contracts to ensure contractors and service providers follow security best practices.
4 Pitch it. Properly dispose of what you no longer need. The first part of this step is to understand federal and state retention laws and creating a document retention policy that reflects them. Then that policy can undergo legal review, employees can be trained on it, and policy and compliance can be reviewed on an ongoing basis.
5 Plan ahead. Create a plan to respond to security incidents. Write up your data security program (the Toolkit has a sample) and be prepared with a plan for what to do when or if a breach should occur. Your plan neds to reflect the breach notification laws of your state, as well as the states of those employees, clients, etc. from whom you receive or for whom you store sensitive information. Knowing who you are going to call, in terms of law enforcement and computer forensics (if needed) is key.
The Toolkit goes deeper into each of these areas, but even the toolkit is just a starting point. If you’ve attended one of my NAR-sponsored half-day longinformation security workshops or read any of my security articles you know there’s a lot of detail beyond the Toolkit. And if you’ve had me in for a security audit – during which I spend at least a week just assessing your situation and making sure you have the right policies and processes in place – you know there’s a whole additional level of detail needed to take all the reasonable steps, especially for the “Lock It” phase. But understanding the NAR’s “Data Security and Privacy Toolkit” is an important first step toward taking stock of your information security program and understanding whether you’ve at least started down the right path. If you haven’t taken a few hours to review it, I strongly suggest you do so.
Share this post: