DSI: What organization to ensure the security of your data?

Strengthen user authentication

First measure to be implemented: Assig a unique identifier to each user with access to the information system. Therefore, shared accounts are to be banned, unless they are inevitable. In this case, control and traceability measures must be put in place.

Passwords, which often constitute the basis of any authentication, must also have a sufficient level of complexity.

• If a restriction of access to the account is planned (for example, a “CAPTCHA” or a locking of the account after several failures), the password must have at least 8 characters comprising 3 of the following 4 types of characters: capital letters, tiny, figures, special characters.
• If the password is the only means of authentication, it must be composed of at least 12 characters, comprising both tiny, capital letters, figures and special characters.

Define several levels of authorization

It is essential that each user can only access the information he needs to accomplish his missions. Hence the interest in defining Habilitation profilesdepending on the position and level of responsibility of each.

In addition, it is recommended to regularly control these authorizations to ensure that they are always in line with the functions of each user. Access permissions must be deleted as soon as an employee leaves the company or is no longer empowered to access certain IT resources.

Improve the security of IT tools

There Personal data protection Also go through the tools used daily by employees of the insurance company.

First of all, it is essential to Secure workstations By providing for different measures:

• The installation of a firewall to limit the opening of computer communication ports.
• The use and regular update of antivirus software.
• The systematic (and preferably automatic) update of the applications installed on the workstation.
• The automatic locking of the computer in case of inactivity.

As for mobile devices, which are increasingly used in the professional framework, they have a computer risk not negligible. In addition to the need to make users aware, it is necessary to secure nomadic positions (laptops, tablets, etc.) with synchronization and data backup mechanisms, in order to avoid any loss.

These mobile devices, as well as storage supports such as USB keys or external hard drives, must also be quantified from start to finish to guarantee their safety.

Protect servers and websites

The servers of the insurance company are particularly sensitive resources: it is therefore advisable to limit access to administration interfaces (in particular by creating authorization levels, as mentioned above).

In addition, administrators must be the subject of a specific password policy. This implies a regular modification of identifiers, especially if a potential compromise has been detected or in the event of the departure of an administrator.

Regarding databases, it is recommended to use personal and specific accounts for each application, while providing for a IT security policy against attacks by injection of scripts or SQL code.

Internet sites also require the greatest vigilance in terms of personal data protection. The use of the secure TLS protocol should be systematized, in particular on the most sensitive pages: forms for collecting information, identification gates, etc.

Finally, if cookies are necessary for the proper functioning of a site, the latter must be subject to prior consent on the part of the Internet user, in compliance with the General Data Protection Regulations (RGPD).

Save and archive data

Secure business datait is also safeguard them regularly, whether in paper or electronic format. It is recommended to make incremental backups daily, but also full backups from time to time.

Once saved, the data must ideally be encrypted and stored in a secure space, in order to receive the same level of protection as the data stored on the operating servers of the insurance company. In the event of data transmission via an external channel, it must be fully encrypted.

Archives management must also be subject to particular attention, with the implementation of specific access methods. Finally, an operating mode framing the destruction of these archives must be provided.

Supervise the subcontractors

As part of its activity, an insurance company is likely to transmit a certain number of data to subcontractors. The latter must have sufficient guarantees in terms of reliability, protection of personal data, but also Information systems security.

More specifically, the guarantees offered by a subcontractor can take different forms:

• Data encryption according to their sensitivity.
• Procedures ensuring that the service provider cannot access the information provided to it.
• Data transmissions encryption.
• Measures of network protection, management of authorizations and authentications, or even traceability.

Finally, the terms of data processing, but also their duration and their purpose, must be precisely defined by a contract with the various subcontractors.