This post was written by Andy Hall, Application Security Engineer (former)
If you pay attention to the news at all, you’ll have likely seen some of the dramatic stories of companies being hacked, losing or exposing the data of potentially millions of people. We see these sensational stories and think that the only threat to our data security are nefarious groups of hackers in some dark room, or companies not taking these external threats and sensitive data protection seriously enough and leaving gaping holes in their systems.
Make no mistake, both of these can be true, but by focusing on those alone, we lose sight of another key threat to sensitive data protection. One that comes from the inside. It can be posed as a question: How do you control access to sensitive data in your care for the people within your organization? Your answer to that question could mean the difference between secure data and a data security disaster for your organization. Here’s how the right sensitive data controls could help you avoid catastrophic security events.
What Counts as Sensitive Data?
A form you create with FormAssembly could be collecting all kinds of information, the beauty of our Form Builder is that it gives you the capability to create exactly the kind of form you want. But sooner or later, you’re probably going to run into collecting some kind of sensitive data. At FormAssembly, we see sensitive data as a piece of information that needs to be treated with more care and attention than something that isn’t sensitive. This could be personally identifiable information (PII), protected health information (PHI), or credit card information. And to give you and idea as to what kinds of information could fall under these kinds of categories, the three kinds of information I listed in the above paragraph — telephone number, address, and social security number —count as PII.
How to Handle Sensitive Data
Marking a field as sensitive in one of your forms is an easy first step toward sensitive data protection, you just choose which kind of sensitive data it is from the dropdown list in that field’s settings. That helps you keep track of what kind of data you’re collecting on your forms. For our Compliance Cloud customers, it also tells FormAssembly to add an extra layer of encryption to data collected in that field.
Coupled with our strong role-based access controls, which allows you fine grained control over which users are able to see which kinds of sensitive data, you can be confident that only people you’ve authorized can see a certain kind of sensitive information.
Logging Sensitive Data
Finally, we log whenever a user has viewed a response that contains sensitive data, so you can know who accessed what, and when. Not only that, but any sensitive fields used in your connectors are logged, too. So you have total awareness of where the sensitive data you’re collecting is going.
We believe this will empower you to set your own information security agenda and ensure this is enforced for your FormAssembly users.
Sensitive Data Management: Arming You Against Data Security Threats
Breaches, data disclosures, data loss, and data theft cost the world economy billions every year. Annual cybersecurity threat assessments from across the industry are all saying the same thing: attacks are rising year-over-year at an alarming rate. How well you respond to these external threats begins by setting a solid foundation of sensitive data protection and internal access control to the information under your stewardship.
Your organization should be achieving its mission, not becoming part of the rapidly increasing statistics reported in these threat assessments. At FormAssembly, we strive to help you in achieving the mission of your organization. And we do that by not only treating the data you collect with us with the care and respect it deserves, but empowering you to do the same.