Employer Security Principles
In seeking to analyse the practical applications of security, I undertook a short online training course through my employer about their security principles. I thought they were quite well-framed and pithy, so I’ll share a bit about each of the company’s 7 security principles below: - Privacy By Design: The guiding idea here is that we should incorporate privacy from the get-go and throughout the lifecycle of the product. This is to best ensure that all stakeholders have clear and consistent privacy policy, and eliminate privacy loopholes in the system as best we can. - Data Minimisation: When gathering data from users, only collect what is necessary. This reduces the impact of any potential data breach/leak and allays privacy concerns. - Retention and Disposal: Get rid of data when it is no longer necessary. Data that is necessary now may not be required in the future, and similar to the previous point, this minimises the impact of any potential data breach/leak. - Notice and Transparency: When collecting personal data, let users know what it is and why it’s being collected. This ensures that users are informed about the data that the company takes, and can make a choice as to the collection of that data. - Consent: Make sure that the company has the necessary and proper consents before collecting or processing personal data. A lack of clear consent could lead to information being collected that a customer wishes to keep private. - Accuracy: Ensure that personal data is accurate and updated. Incorrect or out-of-date personal information could cause legitimate users to run into login and support issues, and simultaneously, could make it easier for hackers to exploit accounts e.g. using outdated phone numbers. - Access: Only access data that you have a legitimate business purpose to access. As an employee, there is a lot of information that you technically have the ability to access, but it’s critical to create a culture of only knowing what you need to know, so as to minimise the threat of social engineering and insider attacks.









