One of the great frustrations in contemplating a data security program is that there is no such thing as a one-size-fits-all solution. There is no law or regulation that specifies the exact steps a company needs to take in order achieve data security. While there are some regulatory and industry recognized compliance programs – like health law requirements under HIPPA and the data security standards established by the Payment Card Industry – these provide compliance guidelines, not actual data security. And these compliance guidelines themselves emphasize that each firm must establish security standards which meet the requirements of their business operations.
The fact is that data security, like any kind of security, requires a clear understanding of the unique needs and operations of a company. Every company has different information requirements and standards as to the information it collects, how it retains and how it uses that information. Consequently, data security can only be achieved by understanding what a particular firm does, not what is common or typical in an industry.
Assessment Defines Approach
Another factor is that while it is common to look at data security as a technical issue, technical compliance addresses only part of the goal; any review of data breaches will show that individuals – the human factor – are the most common source of insecurity. This is not just due to the possibility of an employee clicking on the wrong website or responding to the wrong email; human error can start at the point that a data security plan, and its technical components, are contemplated. Without understanding the scope of the company’s data security requirements, those selecting and implementing the “solution” will find that they have not addressed the security challenges.