To aid in the development of a data loss incident plan and help maximize business continuity, organizations are encouraged to self-audit their level of preparedness by surveying key management leaders and a representative sample of employees with the following questions:
Do you know what sensitive information is maintained by your company, where it is stored and how it is kept secure? Do you have an accounting of all information stored including backups and archived data?
Do you have an incident response team in place ready to respond 24/7?
Are management teams aware of security, privacy and regulatory requirements related specifically to your business?
Have you completed a privacy and security audit of all data collection activities including cloud and outsourced services?
Are you prepared to communicate to customers, partners and stockholders?
Do you have readily available access codes and credentials to critical systems in the event key staff are not available or are incapacitated?
Are employees trained and prepared to notify management in the case of accidental data loss or a malicious attack? Are employees reluctant to report such incidents for fear of disciplinary action or termination?
Have you coordinated with all necessary departments with respect to breach readiness?
Do you have a privacy review and audit system in place for all data collection activities including that of third-party service providers? Have you taken necessary or reasonable steps to protect users? confidential data?
Do you review the plan on a regular basis to reflect key changes? Do key staff members have hard copies of the plan readily accessible in their offices and homes?
The Online Trust Alliance (OTA) advocates that all businesses create an incident response plan and be prepared for the likelihood that they will experience a breach or data loss in the future. The fact is breaches happen and often at the worst of times. Rather than be lulled into the belief it will not happen to your business, a well-designed plan is emerging as an essential part of regulatory compliance, demonstrating that a firm or organization is willing to take reasonable steps to protect data from abuse. Doing so is good business. Developing a plan can help to minimize risk to consumers, business partners and stockholders, while increasing brand protection and the long-term viability of a business.
This slideshow highlights key questions and recommendations for businesses to consider while building a data loss incident plan.