During the month of February, we’re going to continue the hypothetical conversation we started in our introductory post from yesterday. The questions and answers are designed to help you review the things you should be doing to comply with the Massachusetts data security rules that take effect on March 1st.
So, the question we’d like to ask today is: Who’s in charge of your data security program?
Data Security Program? What program?
OK, who is the person (or people) in your organization responsible for data security?
Hmm. Well, the IT people are in charge of passwords and firewalls and all that stuff, and building security gives people their ID badges, and we have a compliance department, but I’m not sure if anyone’s specifically responsible for everything.
It’s OK to have different people and departments handle different aspects of security. For example, it makes sense to have the IT people taking care of the technical controls for IT systems, and to have building security handle physical security, and to have HR handle employee training, etc. However, it’s important to have someone at the company who’s responsible for making sure all the different people and departments and bits and pieces of the information security program work together to protect sensitive information.
Like I said, I’m not sure we have an actual data security program.
If you don’t have a coherent, comprehensive data security program (which usually refers to a set of policies, plans, and/or procedures) and there’s no one who’s specifically responsible for making sure sensitive information is protected, the company may be at risk of having that information compromised.
The Massachusetts rules specifically require entities to develop, implement, and maintain a written, comprehensive data security program. As part of the program, the entity must also designate one or more employees to have overall responsibility for the program. (The rules also require the program to have a number of other elements, but we’ll talk about those in future posts.)
OK. Where do I go from here?
A good way to start is by taking a look at your company org chart. Who’s in charge of data security at the company? If the company has designated someone to be in charge of data security, great. The next step is to get in touch with that person and ask about the data security program.
If you don’t have an official “program” in place, that’s OK. Start gathering and reviewing any data security policies, plans, procedures, or other official company documents that are in place to see what the company has already done. And if the company hasn’t officially designated someone to be responsible for the overall information security program, it would be a good idea to start thinking about who should be in charge.