Issue link: https://read.dmtmag.com/i/358154
August 2014| Construction Equipment Distribution | www.cedmag.com | 21 Play It Safe Train employees to take basic steps to maintain the security, confidentiality, and integrity of customer information. Impose disciplinary measures for violations of the employee security policy. Regularly remind all employees of your company's policy and its legal requirement to keep customer information secure and confidential. Consider posting reminders about their responsibility for security in areas where customer information is stored. Security Policies Develop policies for appropriate use and protection of laptops, PDAs, cell phones or other mobile devices. Ensure that employees store these devices in a secure place when not in use. Consider that encrypting customer information will better protect it if a mobile device is stolen, breached or damaged. Immediately deactivate the user names and passwords of termi- nated employees to prevent them from accessing customer information. Take additional appropriate measures as needed. Limit access to customer informa- tion to only those employees with a legitimate business reason to see it. Provide employees who respond to customer inquiries access to customer files, but only to the extent they need it to do their jobs. Information Systems – Software and Business Networks Control access to sensitive infor- mation by requiring employees to use strong passwords that must be changed on a regular basis. Strong passwords should include at least six characters consisting of a combina- tion of upper and lower case letters, numbers and symbols. Never use easily obtainable or discernible personal information as passwords such as dates, titles, spouse or child's name, etc. Use password activated screen savers to lock employee computers after a period of inactivity. Take steps to ensure the secure transmission of customer information. Know where sensitive customer information is stored and store it securely. Make sure only authorized employees have access. When customer information is stored on a server or other computer, ensure that the computer is kept in a physically secure area and is accessible only with a strong password made up of eight or more characters, including symbols, spaces and punctuation if possible. Maintain up-to-date and appropri- ate programs and controls to prevent unauthorized access to customer information. Dispose of customer information in a secure manner. Look out for improper e-mail attachments and Internet download modules. Install, maintain, and apply anti- virus programs. Install and use a firewall. Remove unused software and user accounts; clean everything on replaced equipment. Create backup for important files, folders, and software. Keep current with software updates. Audit Procedures and Detecting Control Failures Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information. Keep logs of activity on your network and monitor them for signs of unauthorized access to customer information. Use an up-to-date intrusion detec- tion system to alert you of attacks. Monitor both in- and out-bound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmit- ted from your system to an unknown user. Insert a dummy account into each of your customer lists and monitor the account to detect any unauthorized contacts or charges. Action Steps If Security Breach Occurs It's important to preserve the review files or programs that may reveal how the breach occurred. If data has or may be compromised, take action to prevent further damage such as disconnect- ing the computer from the Internet. Additional steps include: Contact security professionals to help assess the breach as soon as possible. Notify customers if their personal information is subject to a breach that poses a significant risk of identity theft or related harm. Notify law enforcement if the breach may involve criminal activity or if there is evidence that the breach has resulted in identity theft or related harm. Notify the credit bureaus and other businesses that may be affected by the breach. Research and comply with any additional breach notification proce- dures that may be required under applicable state law. In summary, a business needs a security plan as much as it needs a marketing plan. A viable security plan can help avoid unnecessary monetary losses, negative publicity, and most important, help the business properly safeguard its customer information. This document is made available by Sentry Insurance a Mutual Company and its subsidiaries and affiliates (collectively "SIAM- CO") with the understanding that SIAMCO is not engaged in the practice of law, nor is it rendering legal advice. The information contained in this document is of a general nature and is not in- tended to address the circumstances of any particular individual or entity, nor the best practices applicable to any particular indi- vidual or entity. Legal obligations may vary by state and locality, and best practices are unique to specific items and situations. No one should act on the information contained in this document without advice from a local professional with relevant expertise. ERIC STILES is Sentry's lead account executive responsible for main- taining the AED/Sentry relationship. He can be reached at eric.stiles@ sentry.com. As the endorsed P&C carrier for AED, Sentry Insurance offers superior coverage options and services to meet your dealership needs.