Earlier this year, the FTC’s staff released a series of blog posts entitled Stick with Security that updated and expanded upon the prior Start with Security best-practices guide for information security practices. The Stick with Security series draws from FTC complaints, consent orders, closed investigations, and input from companies around the country to provide deeper insights into the ten principles articulated in the Start with Security guide. These guidelines serve as a set of minimum recommended standards for “reasonable” data security practices by organizations with access to personal data (i.e. information related to consumers and employees), although they can be applied to other types of data as well. The recommendations are not legal requirements, of course, but it can be useful for companies to consider the views of the FTC’s staff on the practices that are likely to be seen by the FTC as “reasonable.” This post summarizes the recommendations made by the FTC’s staff in the Stick with Security series.
Access and Authentication
- Require credentials to authenticate users and securely store credentials on systems. Webpages and other connected systems that store or process personal data should reside behind a network layer that requires authentication and not be directly accessible without credentials from the Internet or less sensitive parts of a network. Credentials should not be stored in plain-text (e.g., storing passwords in documents or email folders), and companies should train employees to avoid disclosing credentials in response to phishing schemes and other requests (e.g., over-the-phone password changes).
- Implement complex password requirements and prevent brute force attacks. Companies should require strong, unique passwords and establish a system to monitor for and prevent brute force attacks to minimize the risk of password cracking by attackers. Companies should also immediately change default passwords after installing new software, applications, or hardware.
- Limit privileged access throughout the enterprise. Privileged or administrative access should be granted only to a small number of users. Such users should each have individualized login credentials that provide limited privileged access to the systems, processes, or data which is necessary to perform a legitimate business purpose.
- Require multi-factor authentication for accounts with access to personal data. Companies should not solely rely on username and password credentials for permitting access to personal data; rather they should require a second form of authentication (e.g., an authentication application, a key fob, a USB security key, or a code received via a voice call or text message) for users accessing personal data or systems that can access personal data.
- Only grant access as needed for the performance of job duties. Companies should grant specific user accounts access to personal data (or systems that process personal data) and only based on the minimum access levels necessary to satisfy business needs.
- Immediately revoke access upon change of circumstance. When an employee leaves or moves positions, a vendor’s contract expires, or specific types of access are otherwise no longer needed, that access should be immediately revoked to prevent unauthorized access.
General Data Security
- Understand the lifecycle of personal data throughout your network and apply appropriate security measures at each stage. Each company should be aware of how data enters and exits, moves within, and is stored throughout the company in order to implement appropriate security protections at each stage. Companies should also consider the level of care appropriate when transferring personal data and whether specifically to encrypt personal data in transit and/or at rest within a corporate network along with inbound and outbound transmissions.
- Properly configure industry-tested and accepted security methods. With many security options available in the market, companies should consider choosing options that are consistent with industry standards and not necessarily unique. Additionally, companies should configure security controls in a manner that is consistent with manufacturer specifications and that has been properly configured and tested, including following major platform security guidelines for developers.
- Only collect and use data as needed. Limiting data collection and use to what is necessary to meet business needs not only minimizes cybersecurity risks, but may also reduce the cost and logistical complexities of storing and maintaining large quantities of data.
- Periodically review, assess, and (if needed) securely delete data. To ensure personal data is not unnecessarily retained, a company should periodically review the data it holds to assess whether the data is still necessary for a legitimate business need, and if the data is no longer needed, securely delete the data from all applicable systems. Secure deletion methods should prevent the information from being reconstructed, including shredding or burning documents or wiping electronic data and devices (e.g., hard drives, discs, and external flash drives) with a tool designed to render the data unreadable.
- Protect devices from unauthorized physical access. To reduce the risk of unauthorized access to personal data and company networks posed by lost or stolen laptops, phones, or other devices, companies should enable remote tracking and secure wiping of devices (or specific information on the devices).
- Implement network segmentation. Consider segmenting networks using properly configured firewalls to reject unnecessary traffic between segments. Also, consider segmentation based on physical location as well as sensitivity of information, and implement security measures to protect against unauthorized movement between segments (e.g., requiring and securely storing unique credentials for each segment).
- Monitor network activity and respond to alerts. Properly implement, test, and calibrate tools to detect malicious network activity¾including unauthorized uploads and downloads from internal or external threats¾and adequately respond to alerts generated by these tools.
- Mandate minimum security requirements for remote network access. In addition to mandating minimum standards for corporate and third-party systems to connect remotely to a company’s network (e.g., specific endpoint protections and security patches) and rejecting network connection attempts from systems not in compliance, companies should periodically verify compliance. Also, companies should consider establishing certain limitations for remote access that potentially restrict the duration and/or scope of the access.
Vulnerability Management and Patch Management
- Test for common vulnerabilities. These tests should ideally occur both before deployment of systems or release of products, and periodically thereafter. They should test for commonly known vulnerabilities, such as those highlighted by the Open Web Application Security Project’s (“OWASP”) Ten Most Critical Web Application Security Risks or other public resources (e.g., vulnerability reports published by US-CERT).
- Establish procedures to receive threat intelligence and swiftly remediate any vulnerabilities. Establishing designated channels to receive and process threat intelligence is vital to securing an environment. These channels should be open and available to security researchers, vendors, and other third parties to report potential threats, including vulnerabilities, to companies. Companies should, in turn, quickly remediate validated weaknesses to prevent exploitation.
- Develop methods to install updates and patches and provide the same to consumers. If systems or software on a company’s network are vulnerable to new threats, companies should follow industry practices in updating and patching the information technology. Similarly, if a company identifies vulnerabilities in its own products, it should have a deliberate plan to distribute updates with prompts for consumers to apply updates.
Employee Security Training and Enforcement
- Develop a culture that prioritizes security. Companies should promote a culture that prioritizes security through training and management actions that emphasize the importance of good security practices and empower employees at all levels to suggest improvements to security processes.
- Provide initial training to all new users and periodically refresh all users’ training. This training should occur at the time of hiring and periodically thereafter for all users, and cover topics such as password standards, secure data disposal, and how to protect against phishing attempts. Users with roles that directly involve security or access to personal data (e.g., network defenders, application developers, and human resources) should receive training on specific topics related to their roles in the personal data lifecycle.
- Emphasize and integrate security during development. Engineers should consider security throughout the product development lifecycle and testing to ensure that security measures are implemented properly.
- Monitor employee compliance and effectiveness. Companies should implement measures designed to monitor employee compliance with security requirements and assess the effectiveness of the policies and procedures.
Vendor and Supply Chain Management
- Conduct due diligence. Prior to entering into an agreement with a service provider or vendor who will access a company’s personal data and/or network, verify security-related representations made by the vendor and do not simply rely on attestations related to how the personal data will be used and secured.
- Include contractual requirements. Agreements with such service providers or vendors should include explicit security requirements (including specific provisions requiring reasonable security practices) and, if appropriate, performance standards and methods to audit compliance.
- Exercise audit rights to verify compliance. Establishing agreements with explicit security requirements to protect personal data is typically not enough for a company to act reasonably. A company should also monitor for compliance and ensure the terms are being appropriately followed.
Consumer Education and Advertising
- Enable consumers to make security-conscious choices. By explaining security practices to consumers and calibrating default settings, set-up wizards, and toolbars to the most protective settings, companies can help protect consumers by requiring affirmative personal choices to reduce the level of security.
- Avoid false statements in advertising. Ensure that advertising materials do not contain any express or implied misstatements related to security practices.