Burr Alert: Cybersecurity Best Practices Based on NIST Cybersecurity Standards and FTC Enforcement Actions
The National Institute of Standards and Technology ("NIST"), an agency within the U.S. Department of Commerce, has produced a number of detailed standards for various aspects of information security. These standards outline baseline information security controls and represent best practices that assist organizations in identifying, protecting, responding to, and recovering from cybersecurity risks. Additionally, the Federal Trade Commission ("FTC") has posted complaints, consent agreements, public statements, and business guidance brochures to provide guidance to companies about the FTC's standards for reasonable and appropriate data security practices, in relation to the FTC's Section 5 power to prohibit "unfair or deceptive acts or practices in or affecting commerce."
Taking the NIST's standards and the FTC's posted enforcement actions together, the following guidelines are some cybersecurity best practices:
1) Security. Start with Security. Don't collect personal information that you don't need. Hold on to information only as long as you have a legitimate business need. Don't use personal information when it's not necessary. Make sure your service providers implement reasonable security measures. Insist that appropriate security standards are part of your contracts, and verify compliance, including through cybersecurity audits of third-party providers.
Update and patch third-party software. Act on credible security warnings, and move quickly to fix them. Securely store sensitive files, e.g., do not keep them in an open and easily accessible area. Protect devices that process personal information, e.g., securing PIN entry devices that may be vulnerable to tampering and theft. Dispose of sensitive data securely. If it is paper, shred it. If it is electronic information, make sure the documents are deleted to the point that they are unreadable and unable to be reconstructed.
Download the full article, "Burr Alert: Cybersecurity Best Practices Based on NIST Cybersecurity Standards and FTC Enforcement Actions" written by Elizabeth Shirley.