Security policies often contain safeguards, delays, limited access, or other controls designed to reduce risk impact. However, most companies are unwilling to allow these controls to prevent necessary action in a crisis or critical situation. This means that many security policies have built in loopholes from the beginning, or that they are added when response to a critical non-security issue is more difficult due to the controls.
Hospitals are a classic example of this. If a patient drops to the floor in a faint, the medical professionals nearby need to be able to access the patient’s records to find out allergies, medical conditions and medications so they can start helping them quickly. However, medical records are very sensitive. Fortunately, there are few cases where a highly paid professional would risk their employment reputation in order to peek at a few records. Due to this, auditing along with smart velocity controls can reduce the risk of data leakage without compromising patient safety.
How do you approach planning for urgency? First, design security policies with the need to react to issues in mind. Consider options such as a team of trusted people who have access to override controls, requiring more than one signoff for overrides, and creating tools to handle any common urgent issues. Create an alerting system to make sure the security team is engaged as soon as possible. Set up auditing so the people who are able to take high impact actions cannot turn it off. Finally, educate your PR and field staff in advance, so they can provide clarity to customers when issues do take longer to solve because you are safeguarding their data.
Do you have examples of effective steps for reducing security risk during a crisis? If so, please send them to [email protected].
Hospitals are a classic example of this. If a patient drops to the floor in a faint, the medical professionals nearby need to be able to access the patient’s records to find out allergies, medical conditions and medications so they can start helping them quickly. However, medical records are very sensitive. Fortunately, there are few cases where a highly paid professional would risk their employment reputation in order to peek at a few records. Due to this, auditing along with smart velocity controls can reduce the risk of data leakage without compromising patient safety.
How do you approach planning for urgency? First, design security policies with the need to react to issues in mind. Consider options such as a team of trusted people who have access to override controls, requiring more than one signoff for overrides, and creating tools to handle any common urgent issues. Create an alerting system to make sure the security team is engaged as soon as possible. Set up auditing so the people who are able to take high impact actions cannot turn it off. Finally, educate your PR and field staff in advance, so they can provide clarity to customers when issues do take longer to solve because you are safeguarding their data.
Do you have examples of effective steps for reducing security risk during a crisis? If so, please send them to [email protected].
RSS Feed