Playbook for Data Security and Compliance

Keeping data safe should be at the forefront of every business owner’s mind.

Most networking teams look at data security from an “outside in” standpoint, meaning they are focused on keeping intruders on the outside from getting in.

But security involves looking inward as well. You should ask yourself the following questions: Is data secure inside the organization? Do team members have the correct access to the data they need? How has your business secured its data?

The following is a simple playbook on best practices.


Know what kinds of data you have, why the data exists and how it should be handled. Have policies for data access, network security and routine analysis to keep tabs on data sprawl. Knowledge of your data and related policies will mitigate damage if you have a breach.


Understand what data is valuable, what data is worthless and what data is a liability. Data seen as valuable could be, in fact, a liability if it falls into the wrong hands. Running an analytics tool will give insight to the types of data you have. You can group your data into these categories:

  1. Sensitive
  2. Redundant
  3. Inactive
  4. Active

Knowing what data you have and its associated footprint will help guide you through remediation.


Clean up your data. The key to remediation is knowing what you need to keep and getting rid of everything else. Consider what you have, where it is located, why you have it and who has access to it. Sensitive and redundant data poses the highest risk to an organization simply because it exists in multiple places on your network.

With sensitive data, setting permissions in Active Directory to limit the users who can access it ­– and how they access it – will help alleviate user risk. Encrypting this data can be useful as well. Purging redundant data is often the best practice unless it is needed for some reason. Inactive data can be purged or archived. With the California Consumer Privacy Act poised to issue fines for each violation, limiting data to only that needed to operate your business will control the risk associated with having the data. 


Best practices for network security should be employed. Along with a strong anti-virus solution, the use of a commercial-grade firewall is highly recommended. Multi-factor Authorization (MFA) such as Google Authenticator or Duo will also help limit network access. Backup/DR should be employed and located off site. A compliant data center is usually the best bet. Beyond network access is file access. As discussed, employing the principle of least access will limit users to the least amount of access needed for their job function. Encrypt files that are sensitive or critical. Archive or delete files that are old and/or inactive.

Ongoing Analysis

Unfortunately, doing all these things won’t necessarily prevent a breach. The statistics tell us it is not “if” but rather “when.” According to Norton, 4 billion records and 3,800 companies had been breached in the first half of 2019, up 54% over the same period last year. Monthly analysis with a data analytics tool can help keep your data secure and your business compliant, and it can help minimize risk to your company.