Take Stock: Conducting a Data Security Audit in Your Office

It may mean one thing on TV, but to savvy business executives, “CSI” should stand for Carefully Secure Information. Every company has an obligation to its customers, affiliates, and employees to safeguard sensitive data. One step of the process is to “Take Stock” — conduct a CSI-style “forensic audit” of your information practices.

Effective data security starts with assessing what information you have and identifying who has access to it. Understanding how personal information moves into, through, and out of your business and who has — or could have — access to it is essential to assessing security vulnerabilities. Whether you’re a industry giant or a lean-and-mean one-person shop, here are some tips on conducting your own “CSI” investigation:

  • Secure the scene. Inventory all file cabinets, computers, flash drives, disks, and other equipment to find out where your company stores sensitive data. Don’t forget about laptops, employees’ home offices, cell phones, and email attachments. No security audit is complete until you check everywhere sensitive data might be stored.
  • Look for footprints. Track personal information through your business by talking with your technology staff, human resources office, accounting personnel, and outside service providers. Get a complete picture of who sends your company sensitive data. Do you get it from customers? Call centers? Credit card companies? Banks or other financial institutions? Affiliates and contractors?
  • Check the doors. How does sensitive data come in to your company? From your website? Via email? Through the mailroom? What kind of information is collected at each entry point? Customers’ credit card, debit, or checking account numbers? Sensitive health or financial data?
  • Dust for fingerprints. Who has — or could have — access to the information? Which of your employees has permission to look at sensitive data? Could anyone else get a hold of it? What about vendors who supply and update software you use to process credit card transactions? Contractors running your call center, distribution, or fulfillment operations?
  • Protect key evidence. Different types of data present varying risks. Pay particular attention to how you keep personally identifying information like Social Security numbers; credit card, debit, checking account, or financial information; and other sensitive data that could facilitate fraud or identity theft if it fell into the wrong hands.
  • Thanks to the FTC for granting permission to reprint this article.