April 26, 2005

Trust-E, a non-profit Internet privacy advisory group, issued its first set of data security guidelines yesterday, in an effort to assist companies in selecting new or modifying existing policies for protecting consumer and employee personal information.

These guidelines are available as a resource for TRUSTe's Web seal-holding companies and other members of the public.

With the increasing threat of attacks, loss of critical backup data and numerous reports of outright theft recently on stores of consumer information, data privacy has become a central component of trusting business-consumer relationships.

The company says these guidelines are for any company interested in establishing trust with their customers who have any online contact and are concerned about their privacy/use of personal information.

According to TRUSTe, there are ten "high-level" requirements every company should consider implementing in order to achieve reasonable security protections of personal or sensitive data entrusted to them:

1) An enterprise-wide data security policy and employee training program
2) Internal control over the collection, use and sharing of confidential or private data
3) Access procedures that are based on an individual's "need to know"
4) Internal control over the management of third-party vendor or outsourced relations
5) Administrative control and physical security
6) Perimeter controls, such as firewalls and VPN
7) Encryption over the transfer of sensitive data sent across public networks
8) Updates for anti-virus software and security patches
9) Identity management and authentication procedures (when feasible)
10) Regular tests and monitoring

"Direct and open communication between the privacy and security groups within an organization is critical to data protection.

The TRUSTe Security Guidelines provide an excellent framework to facilitate discussions and help ensure that the security aspects of privacy protection are addressed both internally and externally," said Tess Koleczek, chief privacy officer E-LOAN, in a written release.

"TRUSTe helps companies address both the technology and cultural steps that a company can take to make its data more secure."

TRUSTe said, in a release on Monday, it "conducted extensive research to go along with the organization's deep experience in digital commerce to establish a set of recommendations that apply to a wide range of corporate functions, network environments and the type of information each business holds."

"Security practices are not 'one size fits all,'" said Fran Maier, executive director of TRUSTe. "Factors such as a company's size and complexity, industry category, sensitivity of data collected, number of customers served and use of outside vendors can have a dramatic impact on the steps companies should and can take to protect information.

These guidelines lead businesses several steps down the road to making the serious decisions needed to provide a well-guarded home for personal information."

The guidelines are built to evolve and reflect emerging technologies and business issues that impact the safety, security and quality of sensitive or confidential information used by online companies. These guidelines also provide resources to help companies take the final policy and technical steps in building their security systems.

A copy of the full set of guidelines is available on TRUSTe's Web site http://www.truste.org/about/securityguidelines.php.

Source: eCommerce Guide

Advertise on E-Commerce News