Must-Have Elements in Your Data Security Policy to Protect Customer Data

In a previous blog on information security, we discussed the differences between data privacy and data security: data privacy policies and procedures protect the collection, storage and dissemination of personally identifiable information (PII) and a company’s proprietary or confidential information, while data security encompasses the logical and physical protection of PII and company data from cyberattacks, accidental or intentional mishandling of data, and other data breaches. Now let’s now dig into the actual elements of a data security policy.

A data security policy specifies details about how customer data, employee PII, intellectual property and other sensitive information is to be handled. Sometimes it is referred to as a “customer data security policy,” but the broader term “data security policy” is more accurate.

A data security policy should include two broad categories of elements: policies that apply to people, and policies that apply to technology.

People Elements of a Data Security Policy

Here are the top people-focused elements to keep in mind when developing or revising the data security policy for a company:

  • Acceptable Use

Anyone who has logged in to a corporate network over the last 10-15 years has likely been greeted with an acceptable use policy pop-up. The acceptable use policy defines proper and improper behavior when users access company network resources, including restrictions on the use of company resources for non-business-related activities. It can also detail any monitoring the company does to enforce the acceptable use policy.

  • Passwords

Establishing and enforcing a password policy is another basic tenant of any data security policy. The password policy should clearly state any requirements for the length and complexity of passwords and how often they expire, as well as the procedure for resetting forgotten passwords.

  • Email

Because email services are critical for employee, vendor and client communications, your data security policy should specify details such as how email may be used, whether email mailboxes are encrypted, and techniques to be used to thwart phishing and other email-based attack vectors.

  • Auditing

Auditing access attempts, changes to system configuration and network activities is critical for both security and compliance with various regulations designed to protect sensitive data. Data security policies should spell out the level of control required and the methods for achieving it.

  • Social Networking

Most companies frown on employees accessing social networking while on company time, but it’s best to have an explicit statement about exactly what, if any, use of social networks is acceptable.

  • Security Incident Reporting

The data security policy should also address incident response and reporting, specifying how data security breaches are handled and by whom, as well as how security incidents should be analyzed and “lessons learned” should be applied to prevent future incidents.

Technology Elements of a Data Security Policy

Here are the top technology-focused data security elements to keep in mind when developing or revising data security policy and procedures:

  • System Security

Physically and logically securing servers, routers, firewalls and other IT assets is a requirement for most data security policies. Ensuring that you can reliably back up, restore and manage server configurations makes it easier to rebuild or replace a server that has crashed or been compromised.

  • Mobile Device Management

The explosion of mobile device use in corporate environments has presented a formidable challenge for many companies. One option is segregate mobile devices to networks with little or no access to corporate intranets, especially for mobile devices that are owned by employees and guests.

  • Encryption

Best practices require a data security policy to require encryption of data, both at rest and in motion, so it will be unreadable by any third party that comes into possession of it. A data classification process can be used to apply encryption only to certain types of data, such as data protected by particular regulations.

  • Vulnerability Scans

Vulnerability scanning software is now very sophisticated and is a must-have element of all data security policies. In particular, ensuring that firewall ports are being monitored for intrusions is a key component of data security.

  • Access Control Management and Monitoring

Implementing comprehensive access control mechanisms to manage access to data can be achieved via both hardware and software techniques. For instance, remote access management and multi-factor authentication can both help protect data.

  • Software Inventory, License Management and Patch Management

Maintaining an accurate accounting of all software purchased, installed and in use is critical for maintaining compliance with licensing terms and controlling costs. Scanning both end-user and server computers for unauthorized or unlicensed software and ensuring proper patch management are also critical for data security and compliance with the privacy policy requirements of various regulations.

  • Backup, Recovery and Disaster Recovery (DR)

IT pros must ensure that all data is backed up reliably and that the backups are protected as carefully as production data. That data protection should include the logical and physical security of those datasets using techniques such as off-site storage and encryption. Backups should be tested, and you should be able to recover data quickly. It’s also wise to have a dedicated DR environment, ideally one that you can fail over to when necessary.


As you can see, there are many elements to consider when building or revising your data security policy. Be sure to include all the elements required for your unique IT environment, internal security requirements and applicable external regulations, so that your policy provides an appropriate level of data security.

Earl is also a 30-year veteran of the computer industry, who worked in IT training, marketing, technical evangelism and market analysis in the areas of networking, systems management, DR/BC, and application performance monitoring. Earl is a regular writer for the computer trade press with many eBooks, white papers, and articles to his credit.