Information Systems: Information systems include network and software design, and information processing, storage, transmission, retrieval, and disposal. Here are some suggestions on maintaining security throughout the life cycle of customer information, from data entry to data disposal:
• Know where sensitive customer information is stored and store it securely. Make sure only authorized employees have access. For example:
■ Ensure that storage areas are protected against destruction or damage from physical hazards, like fire or floods.
■ Store records in a room or cabinet that is locked when unattended.
■ When customer information is stored on a server or other computer, ensure that the computer is accessible only with a “strong” password and is kept in a physically-secure area.
■ Where possible, avoid storing sensitive customer data on a computer with an Internet connection.
■ Maintain secure backup records and keep archived data secure by storing it off-line and in a physically-secure area.
■ Maintain a careful inventory of your company’s computers and any other equipment on which customer information may be stored.
• Take steps to ensure the secure transmission of customer information. For example:
■ When you transmit credit card information or other sensitive financial data, use a Secure Sockets Layer (SSL) or other secure connection, so that the information is protected in transit.
■ If you collect information online directly from customers, make secure transmission automatic. Caution customers against transmitting sensitive data, like account numbers, via email or in response to an unsolicited email or pop-up message.
■ If you must transmit sensitive data by email over the Internet, be sure to encrypt the data.
• Dispose of customer information in a secure way and, where applicable, consistent with the FTC’s Disposal Rule, www.ftc.gov/os/2004/11/041118disposalfrn.pdf. For example:
■ Consider designating or hiring a records retention manager to supervise the disposal of records containing customer information. If you hire an outside disposal company, conduct due diligence beforehand by checking references or requiring that the company be certified by a recognized industry group.
■ Burn, pulverize, or shred papers containing customer information so that the information cannot be read or reconstructed.
■ Destroy or erase data when disposing of computers, disks, CDs, magnetic tapes, hard drives, laptops, PDAs, cell phones, or any other electronic media or hardware containing customer information.