HOT TOPICS

2017

MEMBERSHIP

DIRECTORY

118

computers to store or access customer data to use protections against viruses, spyware, and other

unauthorized intrusions.

•

Imposing disciplinary measures for security policy violations including termination of employment.

•

Preventing terminated employees from accessing customer information by immediately deactivating their

passwords and user names and taking other appropriate measures.

Information Systems

Information systems include network and software design, and information processing, storage, transmission,

retrieval, and disposal. Replace systems such as Windows versions XP or earlier that are no longer supported and

make sure your antivirus, anti-malware, firewall, and other security software is up to date at all times. Here are

some suggestions on maintaining security throughout the life cycle of customer information, from data entry to

data disposal:

Know where sensitive customer information is stored and store it securely. Know its life cycle throughout your

organization. Make sure only authorized employees have access. For example:

•

Ensure that storage areas are protected against destruction or damage from physical hazards, like fire or

floods.

•

Store physical records in a room or cabinet that is locked when unattended.

•

When customer information is stored on a server or other computer, ensure that the computer is accessible

only with a “strong”password and is kept in a physically-secure area.

•

Place customer information on a separate secure server or in a secure cloud-based server. Limit permissions

and require additional access requirements (two-factor authentication) such as a randomly-generated token

number and additional password to be able to access the server.

•

Where possible, avoid storing sensitive customer data on a computer with an Internet connection. It is a good

practice to provide “read only”access to customer information and disable the ability to download customer

information onto third-party devices (USBs, external hard drives, etc.).

•

Maintain secure backup records and keep archived data secure by storing it off-line and in a physically-secure

area.

•

Maintain a careful inventory of your company’s computers, servers, and any other equipment on which

customer information may be stored.

•

Monitor employees accessing customer information in both paper and electronic format. You should review

the monitoring regularly to detect any unusual spikes in activity and quickly find out the reason.

•

Get a static IP address from your Internet Service Provider. This will keep your IP address from changing and

enable sites like Dealertrack to only accept requests for customer information from your trusted IP address.

This can be a major protection in the event employees’user names and passwords are compromised.

•

Use a cloud-based proxy server or a software-based proxy server to prevent users from going to sites that are

associated with viruses, malware, or that are otherwise insecure.