Building on the FTC’s “Start with Security” guide for businesses, the agency launched the “Stick with Security” blog on July 21, 2017. The blog provides additional guidance on each of the 10 fundamental principles of data security through hypotheticals based on FTC decisions, questions submitted, and FTC enforcement actions. Each week, the FTC publishes a post dedicated to one of the 10 data security principles.
The 10 fundamental “Start with Security” principles include:
- Start with security. The first principle urges companies to factor data security into all aspects of the business and to make conscious decisions about how, when, and whether to collect, retain and use personally identifiable information.
- Control access to data sensibly. The second principle recommends restricting access to personal data to employees who have a legitimate need to access the data. This recommendation includes restricting administrative access to the company’s systems to employees tasked with making system changes.
- Require secure passwords and authentication. According to the third principle, companies should require “complex and unique” passwords, store passwords securely, and test for common vulnerabilities to protect against unauthorized access to data.
- Store sensitive personal information securely and protect it during transmission. The fourth principle advises companies to encrypt data while in transit and when at rest throughout the data’s entire lifecycle. Companies should use industry-tested methods of securing data and ensure that the measures are implemented and configured appropriately.
- Segment your network and monitor who’s trying to get in and out. The fifth principle speaks to the design of a company’s network; it should be segmented and include intrusion detection and prevention tools.
- Secure remote access to your network. The sixth principle considers a company to be responsible not only for the security of its internal network, but also for examining the security of employees’ computers and systems of others to whom the company grants remote access to its systems. In addition, companies should limit remote access to only the areas that are necessary to achieve the purpose.
- Apply sound security practices when developing new products. The seventh principle urges companies to use engineers trained in secure coding practices and to follow explicit platform guidelines designed to make new products more secure. This principle also indicates that companies are expected to ensure that their privacy and security features function properly and meet advertising claims.
- Make sure your service providers implement reasonable security measures. The eighth principle advises companies to choose providers with appropriate security measures and standards and to require providers to meet expectations by expressly including those obligations in provider contracts. Also companies should preserve contractually the right to verify that the provider is meeting expectations on data security matters.
- Put procedures in place to keep your security current and address vulnerabilities that may arise. The ninth principle instructs companies to implement and maintain up-to-date security patches, heed warnings regarding known vulnerabilities, and establish a process for receiving and responding to security alerts.
- Secure paper, physical media, and devices. The tenth principle applies similar security lessons to non-electronic data, such as data on paper and other physical media. This principle recommends storing paper containing sensitive data in a secure area, using PINs and encryption to secure data housed on other physical media, establishing security policies for employees when traveling with media that contains sensitive data, and disposing of sensitive data on paper and other physical media securely.
Since July 21st, the FTC has published seven helpful posts. Up next, the FTC will discuss the eighth principle: Make sure your service providers implement reasonable security measures.