Happy Data Privacy Day! This international effort is recognized every January 28
to raise awareness and promote privacy and data protection best practices.
Technology is having a significant impact on our privacy rights, and individuals and businesses must recognize the importance of valuing and protecting personal information.
Bill: Our initial policy focuses on the cloud-based Office 365, as a lot of our on-premise data has or will move there. The policy defines what data requires extra protection before being moved to the cloud and what data should never be stored in the cloud at all. It also includes a data sovereignty strategy, whereby even our cloud backup provider must store our backups in Canada. The next steps are to implement a document retention strategy for archiving and eventual deletion of documents past a certain age.
Bill: Celero has implemented a tagging system where Celero employees can tag their documents as either Confidential, Sensitive, Private, Public or Personal. The default is Sensitive.
We have also identified categories of data which we don’t want stored in the cloud unless it is protected with a rights management scheme. Data tagged as Confidential is included in that category, along with financial data, data covered under a non-disclosure agreement with another party, personally identifiable information (PII) and HR files, detailed client member data and contractual data. In addition, PCI data is never allowed to be stored in the cloud.
Bill: In Office 365, the owner of the Teams or SharePoint site takes responsibility for the data being hosted on that site and who can view/edit it. Celero has explicitly disabled external link sharing in SharePoint and Teams, so employees can’t share a document with someone outside of Celero.
Instead, we have introduced a collaborator program whereby external users can be brought in as full fledge members of a Teams or SharePoint site. Part of this onboarding process includes making external users sign a collaborators agreement and ensuring they accept our data governance policy. As onboarding is formally done by an administrator and the collaborators are approved by a manager, we have made the process of providing external access to our documents much more formal and controlled.
Bill: Celero has invested in a security tool called Varonis to scan our existing documents for violations to our policies and for other security issues. The current focus will be Office 365 and will then be expanded to include Celero’s on-premise file sharing.
From an Office 365 perspective, we require multi-factor authentication when accessing data from outside of Celero. This ensures that a stolen username/password can’t be used by an outside intruder to steal our data. We are also implementing rights management schemes in SharePoint and Teams to automatically protect certain document libraries.
The rights management process encrypts files at the time of download and locks them to the account of the user who initiated the download. That means that even if the files were to later be stolen from the user’s hard drive or USB stick, the thief would not be able to open them. We are also alerted when a large number of files are downloaded or deleted from Teams or SharePoint.
Bill: All data transmitted to and from Office 365 is done so over Transport Layer Security 1.2 or greater. Less sensitive data in Office 365 is not encrypted at rest as this prevents indexing, searching and collaboration. Data with greater sensitivity will be encrypted with Information Rights Management.
Bill: All of our Office 365 files and emails are backed up daily by a 3rd party cloud data backup provider. This allows complete point-in-time recovery at the file/email and site/mailbox level. Utilizing this approach, there is virtually no risk of ever losing any data stored in Office 365.
To learn more about threats facing your credit union and how Office 365 can make you more secure, check out our security whitepaper.
Celero is a leading provider of digital technology and integration solutions to credit unions and financial institutions across Canada. Clients trust Celero’s proven track record delivering innovative banking technologies, digital and payment solutions, cloud computing, outsourcing, IT and advisory services.
Other posts by Celero