The exchange of information performed by organizations must be protected with appropriate security controls. These controls need to be implemented to guard against the loss of confidentiality, integrity, and availability of information.
Organizations could be susceptible to security incidents or data breaches if appropriate information exchange protection and controls are not defined, implemented, and effectively managed. This is the focus of pitfall #58 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Your organization should ensure that exchange agreements are established and implemented to address the transfer of information or software to or from external parties. Formal procedures should be defined that require the encryption of data in transit. This includes the use of strong cryptography protocols to safeguard information during transmission over non- trusted or open public networks. Encryption of data at rest should also be addressed in exchange agreements.
Sensitive information, such as personally identifiable information (PII), protected health information (PHI), controlled unclassified information (CUI), federal contract information (FCI), and personal account numbers (PANs), should be protected by ensuring they are never sent by end-user messaging technologies (e.g., instant messaging, SMS, chat, etc.). This can be supported by data leakage prevention (DLP) tools or network configuration procedures. Additionally, the remote activation of collaborative computing devices to manage sensitive information should be prohibited in accordance with acceptable use requirements adopted by your organization.
To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASCENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.