Although our primary business is the development and implementation of our Illuminate Order and Inventory Management Software, we’re often asked about best-practice for data security. We’ve recently been through the ISO-27001 (Information Security Management) accreditation process, so we do have a lot of experience in this area. We’ve put together a few thoughts around this subject. Please let us know your feedback and comments!
A Holistic Approach to Data Security
Running your business securely means more than just running a PCI-scan every quarter, important though that is. It means putting security at the heart of your company, and encouraging a culture of responsibility. That way, everyone is involved and takes responsibility for the security of customer and business data.
We all love Magento extensions. But before you use any new extension of your web site, we recommend undertaking some research and make sure that it is not vulnerable to SQL Injection, XSS or other attacks. We’ve received several e-mails in the past from Magento saying that such-and-such extension or feature is unsafe. If you do install any new extension, scan your site immediately afterwards to make sure it is still protected from hackers.
We’d recommend subscribing to a service which performs at least weekly scans of your websites and internal systems, and reviewing all results thoroughly, including ‘Amber’ alerts. A scan-logo (showing that your site is safe) can also be promoted on your web-site giving your customers confidence that their data is secure.
Our recommendation is to securely dispose of all documents (copies of print/pack slips, invoices etc.) which contain any customer information. Here at Illuminate we have an industrial grade shredder in which all such documents are disposed. We’re still amazed by how many sites we visit where documents are just placed in a normal waste-paper bin.
We’d recommend having an Access Control Policy in place, so that users only have access to the systems they require. This includes your Order and Inventory Management system (such as Illuminate!), FTP, SSH, in fact everything. We’d also recommend using a Password Management Vault application to create strong passwords and manage them centrally.
Access Control also extends to USB keys and other portable drives. Firstly, are these really a business necessity? It may be easier to just decide never to use them rather than have the headache of tracking them. If they must be used, we’d recommend only using encrypted USB keys and drives, and restricting their use to only those people who really need them.
Thanks for reading this. If you’d like to discuss any of these issues further, please get in touch.