990-35产品经理:Data Security 101: Understanding the Crisis of Data Breaches, and Best Practices to Keep

Data Security 101: Understanding the Crisis of Data Breaches, and Best Practices to Keep Your Organization’s Data Secure
数据安全101:了解数据泄露危机，以及确保组织数据安全的最佳实践

Each year, data breaches are responsible for compromising the personal information of millions of people around the globe. These breaches cost organizations billions of dollars per year, and are causing governments to implement new requirements for organizations to secure their data.
However, experts have established best practices on how organizations can protect their data. In this article, you’ll learn everything you need to know about the ongoing challenge of data security, and how to fight data breaches and cyber criminals.
每年，数据泄露都要为全球数百万人的个人信息泄露负责。这些数据泄露每年给企业造成数十亿美元的损失，并导致政府对企业实施新的要求，以保护其数据安全。
然而，专家们已经建立了关于组织如何保护其数据的最佳实践。在本文中，您将了解有关数据安全的持续挑战以及如何打击数据泄露和网络犯罪的所有信息。

What Is Data Security? 什么是数据安全？

Data security refers to measures taken to prevent unauthorized access to the information stored in computers and databases or on the web, and to prevent the modification or corruption of that information. Data security is sometimes called computer security, systems security or information security, and is an important part of the information technology systems for all organizations, large and small.
数据安全是指为防止未经授权访问存储在计算机和数据库或网络上的信息，以及防止修改或损坏该信息而采取的措施。数据安全有时被称为计算机安全、系统安全或信息安全，是所有大小组织信息技术系统的重要组成部分。

What Is Data Security Protecting Against? 数据安全保护的对象是什么？

The threats that data security protects again are constantly changing and evolving. But there remain some consistent threats, which include the following:
数据安全再次保护的威胁是不断变化和发展的。但仍然存在一些持续存在的威胁，其中包括：

Security Hackers: People who work to exploit vulnerabilities in a computer system, sometimes for information gathering, protest or theft.
Malware: A shortened name for “malicious software,” this is software built to gain unauthorized access or cause damage to a computer or computer system.
Computer Viruses: One form of malware, computer viruses are maliciously written codes that alter how a computer operates and can damage the computer and data stored on it. The code is written so the virus can spread from one computer and computer system to another.
安全黑客：利用计算机系统漏洞的人，有时是为了收集信息、抗议或盗窃。
恶意软件：“恶意软件”的缩写，这是一种未经授权的访问或对计算机或计算机系统造成损害的软件。
电脑病毒：恶意软件的一种形式，计算机病毒是恶意编写的代码，它会改变计算机的运行方式，并会损坏计算机和存储在计算机上的数据。编写这些代码是为了使病毒能够从一台计算机和计算机系统传播到另一台计算机和计算机系统。

The Need for Data Security: Increasing Hacks, Breaches & Problems 对数据安全的需求:不断增加的黑客、漏洞和问题

Strong data security has become vital for all organizations as the number of data breaches and other security problems have mushroomed in recent years.
Identity Theft Resource Center, a nonprofit that has been tracking data breaches for more than a dozen years, reported 1,579 data breaches in 2017 — an increase of 45 percent from the previous year. The two areas of the economy that saw the largest increases were general businesses and financial institutions. More than 55 percent of data breaches in 2017 affected businesses, up from 45 percent in 2016.
A separate 2018 study by Thales eSecurity, a data security firm, found that 46 percent of U.S. organizations had experienced a data breach in the previous year, up from 24 percent in the same study the year before. Another study from the PwC consulting firm in 2015 found that the number of cyber security attacks had increased by 38 percent from the previous year, and intellectual property theft had increased by 56 percent.
The cost of data breaches to organizations continues to be staggering. Across the world, data breaches cost companies about $3.6 million per incident in 2017, according to the most recent annual survey by the Ponemon Institute. In the U.S, the average cost for a data breach was $7.35 million per incident, a record high.
Worldwide, data breaches cost $141 per compromised record, according to the Ponemon survey. In certain industries, the cost was much higher — $380 per record in the healthcare industry and $245 per record in the financial services industry.
近年来，随着数据泄露和其他安全问题的数量迅速增加，强大的数据安全性对所有组织都变得至关重要。
身份盗窃资源中心（Identity Theft Resource Center）是一家追踪数据泄露事件超过12年的非营利机构，该机构在2017年报告了1579起数据泄露事件，比前一年增加了45%。增长最大的两个经济领域是一般商业和金融机构。2017年超过55%的数据泄露事件影响了企业，高于2016年的45%。
数据安全公司Thales eSecurity 2018年的一项独立研究发现，46%的美国组织在前一年经历过数据泄露，高于前一年同一研究中的24%。普华永道咨询公司2015年的另一项研究发现，网络安全攻击的数量比前一年增加了38%，知识产权盗窃增加了56%。
数据泄露给组织带来的成本仍然惊人。根据Ponemon研究所最近的年度调查，在全球范围内，2017年每起数据泄露事件给公司造成的损失约为360万美元。在美国，数据泄露的平均成本为每起事件735万美元，创历史新高。
根据Ponemon的调查，在全球范围内，数据泄露的成本为每条受损记录141美元。在某些行业，成本要高得多——医疗保健行业的每份记录为380美元，金融服务行业每份记录为245美元。

Some of the Largest Data Breaches or Cyber Attacks of Our Time 我们这个时代一些最大的数据泄露或网络攻击

There have been thousands of known data attacks and breaches over the past several years. Some have been especially large and newsworthy, including the following notable breaches:

在过去的几年中，已经发生了数千起已知的数据攻击和泄露事件。其中一些事件规模特别大，具有新闻价值，包括以下几起值得注意的事件：

Methods Cyber Criminals Use to Infiltrate Computers and Systems 网络犯罪分子用于渗透计算机和系统的方法

Cyber criminals use a range of methods to infiltrate computers systems. Some have been used for years; others have been developed more recently.

“Every year, the crooks get better and better funded and more and more sophisticated and more and more well organized,” says Russ Schrader, Executive Director of the National Cyber Security Alliance, a nonprofit public-private partnership that promotes cybersecurity and privacy education and awareness.
Among the most common ways cyber criminals infiltrate systems:
网络犯罪分子使用一系列方法侵入计算机系统。有些已经使用多年，有些则是最近才开发出来的。

国家网络安全联盟（National Cyber Security Alliance）的执行主任拉斯·施拉德（Russ Schrader）说：“每年，这些骗子的资金越来越充足，手段越来越高明，组织也越来越严密。”国家网络安全联盟是一个非营利性的公私合作机构，旨在促进网络安全和隐私教育及意识。
网络犯罪分子渗透系统的最常见方式包括：

Brute Password Cracking: Hackers can crack some passwords simply by using common or easy-to-guess passwords — like “1234” or “password.” They also use computers to quickly try a succession of passwords or move through hundreds of thousands of words. This method can be especially effective if your password is short. A computer can crack a seven-character password in milliseconds. A 12-character password would take about 200 years. If you’re concerned, this site can help you figure out how strong your password is against attacks. Note: Although the site states that it doesn’t collect or store passwords, it’s best not to use your current passwords when trying out the educational tool.
暴力密码破解：黑客可以破解一些密码简单地使用常见的或容易猜到的密码-如“1234”或“密码”。“他们还使用电脑快速地尝试一连串的密码或处理数十万个单词。如果你的密码很短，这种方法会特别有效。电脑可以在几毫秒内破解7个字符的密码。一个12个字符的密码需要大约200年。如果你担心，这个网站可以帮助你找出你的密码是多么强大的攻击。附注：尽管该网站声明不收集或存储密码，但在试用这个教育工具时最好不要使用当前的密码。

Using Existing Breached Data: Hackers also use data obtained through unauthorized means, available for purchase online. That existing breached data can give them emails, usernames, and passwords that they can use to gain access to accounts.
Phishing Emails: You are sent an email, represented to be from your bank, the IRS, or another organization that you do business with or trust. The email suggests the organization needs important information from you and asks you to click on a link within the email. That link takes you to a malicious website, which asks you to enter a user name, password, and possibly other personal information. The hacker then gains access to your actual bank account, or other account.
使用现有的泄露数据:黑客还使用通过未经授权的方式获得的数据，可在网上购买。现有的泄露数据可以给他们电子邮件，用户名和密码，他们可以用来获得帐户的访问权限。
网络钓鱼电子邮件:您收到一封电子邮件，声称来自您的银行、国税局或与您有业务往来或信任的其他组织。该电子邮件表明，该组织需要从你的重要信息，并要求你点击电子邮件中的链接。该链接会将您带到一个恶意网站，该网站要求您输入用户名、密码，可能还有其他个人信息。然后，黑客获得访问您的实际银行帐户，或其他帐户。

David Herman is President of RH Strategic Communications, an organization that works with enterprise, public sector, health and cybersecurity companies. He says cyber criminals now are sophisticated enough to learn from online sources who your boss is, and then send you an email seemingly from that boss. Herman explains, “The email says, ‘Hey, I need this right away.’ Then they engage in a dialogue that seems totally legitimate.” With that seeming assurance that the emails are legitimate, you are convinced to click on a link in an email or take other actions that compromise security, according to Herman.
David Herman是RH Strategic Communications的总裁，该组织与企业、公共部门、健康和网络安全公司合作。他说，网络罪犯现在已经足够老练了，他们可以从网上的信息源中了解到你的老板是谁，然后给你发送一封貌似是老板的电子邮件。赫尔曼解释说，“邮件说，‘嘿，我马上就要这个。’然后他们进行一场看起来完全合理的对话。” 赫尔曼说，有了这种表面上的保证，即电子邮件是合法的，你就会被说服点击电子邮件中的链接或采取其他危及安全的行动。

Vishing (Voice Phishing): A hacker, with access to phone number databases, calls you and represents that he or she is calling from your bank, the IRS or a similar organization. The hacker asks for personal information that they can use to access private data.

“They tell a believable story and someone is convinced that they’re legitimate,” says the National Cyber Security Alliance’s Schrader.

Smishing (SMS Phishing): You might be sent a text with an embedded link. Similar to phishing, the link is a malicious website designed to extract personal information from you that hackers can use to access your private accounts.

网络钓鱼（语音钓鱼）:黑客，可以访问电话号码数据库，打电话给你，并表示他或她是从你的银行，国税局或类似的组织打电话。黑客要求个人信息，他们可以使用这些信息来访问私人数据。

“他们讲了一个可信的故事，有人相信他们是合法的，”国家网络安全联盟的施拉德说。
短信钓鱼（SMS Phishing）:您可能会收到带有嵌入式链接的文本。类似于网络钓鱼，该链接是一个恶意网站，旨在提取您的个人信息，黑客可以使用它访问您的私人帐户。

Why Data Security Is So Difficult to Achieve 为什么数据安全如此难以实现

Data security is so difficult — and personal data is constantly compromised — because of some highly common problems. Some of them relate to the desire to ensure computer systems are easy to navigate for users. Many relate to human nature, or simply to human neglect and ignorance. Here are some of the most common challenges:
由于一些非常常见的问题，数据安全是如此困难——个人数据不断受到损害。其中一些与确保计算机系统易于为用户导航的愿望有关。许多与人性有关，或者仅仅与人类的忽视和无知有关。以下是一些最常见的挑战：

Organizations often have limited knowledge of their own customer data — how sensitive it might be, its location within the organization’s computer network, and the risk of unauthorized access to it.
Organizations don’t understand who routinely accesses that customer data. (A 2016 Ponemon study found that only 25 percent of respondents said their company monitors all employee file and email activity.)
Organizations don’t understand how their data is protected, or how to better protect it.
Organizations don’t know when there might be suspicious access to or use of their data, because they don’t monitor it closely enough.
Updates for software that employees routinely use — which often include patches for known vulnerabilities — are not implemented often or soon enough.
Remote users who access an organization’s network remotely are often much more vulnerable to a data breach.
As an increasing amount of data is stored in the cloud, there can be vulnerabilities in the processes intended to encrypt that data and keep it secure.
Internal risks from authorized users who can inadvertently or intentionally cause significant data breaches.
Organizations want to maintain ease of use of their systems for authorized users — while trying to provide good security.
As the range of data collected grows, along with its use, organizations must implement new and broader security measures to accompany that growth.
Data is often spread across an organization, with computer system hardware often in a range of places.
Unstructured data — data that is not in fixed, easily searchable fields within a database — now makes up 80 percent of all data and can be more difficult to monitor and protect.
组织通常对自己的客户资料了解有限——这些资料可能有多敏感，它们在组织计算机网络中的位置，以及被未经授权访问的风险。
组织不知道谁经常访问这些客户数据。（2016年Ponemon的一项研究发现，只有25%的受访者表示他们的公司监控所有员工的文件和电子邮件活动。）
组织不了解如何保护他们的数据，或者如何更好地保护数据。
组织不知道什么时候可能会有可疑的访问或使用他们的数据，因为他们没有足够密切的监控。
员工日常使用的软件更新——通常包括针对已知漏洞的补丁——没有经常或及时实施。
远程访问组织网络的远程用户通常更容易受到数据泄露的影响。
随着越来越多的数据存储在云中，在用于加密数据并确保其安全的过程中可能存在漏洞。
来自授权用户的内部风险，这些用户可能无意或故意造成重大数据泄露。
组织希望为授权用户维护其系统的易用性——同时努力提供良好的安全性。
随着收集的数据范围及其使用的增长，组织必须实施新的、更广泛的安全措施来应对这种增长。
数据通常分布在整个组织中，计算机系统硬件通常分布在不同的地方。
非结构化数据——不在数据库中固定的、易于搜索的字段中的数据——现在占所有数据的80%，并且更加难以监控和保护。

Special Data Security Challenges Relating to Mobile Devices 与移动设备相关的特殊数据安全挑战

Almost everyone now carries a cell phone, and many others routinely use tablets and personal laptop computers. These ever-present mobile devices pose particular problems for your organization’s data security. The following are among the most common challenges:
现在几乎每个人都带着手机，还有很多人经常使用平板电脑和个人笔记本电脑。这些无处不在的移动设备为您的组织的数据安全带来了特殊的问题。以下是最常见的挑战：

Mobile devices, owned by an organization’s employees, will often have access to your organization’s computer network — even though they don’t normally have the data security protections that are vital to your network.

Herman, from RH Strategic Communications, explains that while your organization may have sophisticated passwords and authentication requirements for its network, it is all compromised when an employee’s mobile phone has easy access to the network — which is then all reachable by someone guessing the phone’s 1-2-3-4 password.

Mobile devices are frequently shared with others temporarily. That means those others may not follow your organization’s procedures for use of mobile devices relating to their data.
Applications for mobile devices are often connected to web services, which makes it easier for the unauthorized transfer of data.
一个组织的员工拥有的移动设备通常可以访问您组织的计算机网络–尽管它们通常没有对您的网络至关重要的数据安全保护。

来自RH战略通信公司的Herman解释说，虽然您的组织可能对其网络有复杂的密码和身份验证要求，但当员工的移动电话很容易进入网络时，所有这些都会受到影响–然后，猜测该手机1-2-3-4密码的人就可以到达该网络。

移动设备经常与其他人临时共享。这意味着其他人可能不会遵循组织使用与其数据相关的移动设备的程序。
移动设备的应用程序通常连接到Web服务，这使得未经授权的数据传输变得更加容易。

Increasing Concerns About Data Security Mean the Market for Experts Is Growing 人们对数据安全的日益关注意味着专家的市场正在不断增长

The data security challenges that all organizations face mean the market for experts to help them continues to grow. A 2017 Gartner report estimated that worldwide spending on data security products and services would reach $86.4 billion in 2017, and an estimated $93 billion in 2018.
所有组织都面临着数据安全挑战，这意味着需要专家来帮助他们的市场在持续增长。2017年Gartner的一份报告估计，2017年全球数据安全产品和服务的支出将达到864亿美元，预计2018年将达到930亿美元。

What Is Data Security Management? 什么是数据安全管理？

Data security management is the effective oversight and management of an organization’s data to ensure the data is not accessed or corrupted by unauthorized users. A data security management plan includes planning, implementation of the plan, and verification and updating of the plan’s components.
Additionally, the following are basics of data security that are often included in any data security management plan:
数据安全管理是对组织的数据进行有效的监督和管理，以确保数据不被未经授权的用户访问或破坏。数据安全管理计划包括计划的制定、计划的实施以及计划各组成部分的验证和更新。
此外，以下是通常包含在任何数据安全管理计划中的数据安全基础：

Backups: Continual backups of data ensure the ability to recover lost data.
Data Masking: A process in which some data is obscured so sensitive information is not exposed. Data masking might be necessary when technicians need to work with the data to develop applications or conduct text cycles.
Data Erasure: A method in which data on a hard disk or other digital media is overwritten or wiped clean when the equipment is sold or discarded.
Encryption: The process by which data is scrambled and encoded to make it unintelligible. Only another entity with the encryption key can decode the data. Encryption is an important method for ensuring data security, especially for data that moves across computer networks.
Authentication: The process of determining whether a computer system user is who he or she claims to be. Usernames and passwords are a common authentication method.
One-time Password: A password that works for only one network session or transaction. One-time passwords enhance digital security because intruders who could gain access through the discovery and reuse of a traditional password can’t gain that access.
Electronic Security Tokens: Physical devices that serve as an electronic “key” to allow a user to gain access to data or to a physical place. Digital information is stored on the devices. The user may need the device along with a separate password to access the resource.
Two-factor Authentication: A requirement of two methods to authenticate an authorized user. For example, two-factor authentication might require a password from the user, along with information only they would know, or a password along with an electronic security token.
Transparent Data Encryption (TDE): A method that encrypts the actual files of a database, rather than the data. An authorized user has normal access to the data, and may not be aware of the use of TDE. The method ensures that an intruder who gets access to all of the data can’t read it or use it when it’s placed on a different server.
Cloud Access Security Broker: Software that works between users of a cloud service and the cloud applications. The software monitors activity and ensures the user’s security policies are followed.
Active Directory Rights Management Services: Use of this Microsoft Windows security tool (formerly called Windows Rights Management Services, before Windows Server 2008) helps organizations set and manage the kind of access users have to an email message, Microsoft office documents, and other information on the Windows server.
Big Data Security: Big data refers to the extremely large amounts of data (in all forms) that can be gathered, analyzed, and mined for information. Hadoop is an open source software platform that you can use to store and process extremely large sets of data.
Internet of Things (IoT) Data Security: Safeguards that are part of, or added to, devices that are part of the Internet of Things. The IoT are the billions of everyday devices that are embedded within computing devices, from refrigerators to oil-drilling equipment. Those computers enable them to send and receive data that help them operate.
Payments Security, Mobile App Security, Web Browser Security, Email Security: Each of these modes of computing and data transfer have special security features that work to prevent unauthorized access.

备份：持续的数据备份可确保恢复丢失数据的能力。
数据屏蔽：隐藏某些数据以防止敏感信息暴露的过程。 当技术人员需要使用数据来开发应用程序或进行文本循环时，可能需要数据屏蔽。
数据擦除：当设备被出售或丢弃时，硬盘或其他数字媒体上的数据被覆盖或擦除干净的方法。
加密：对数据进行加扰和编码以使其难以理解的过程。 只有拥有加密密钥的另一个实体才能解码数据。 加密是确保数据安全的重要方法，特别是对于跨计算机网络移动的数据。
身份验证：确定计算机系统用户是否是他或她所声称的人的过程。 用户名和密码是常见的身份验证方法。
一次性密码：仅适用于一次网络会话或事务的密码。 一次性密码可以增强数字安全性，因为可以通过发现和重复使用传统密码来获得访问权限的入侵者无法获得该访问权限。
电子安全令牌：充当电子“密钥”的物理设备，允许用户访问数据或物理位置。 数字信息存储在设备上。 用户可能需要该设备以及单独的密码来访问资源。
双因素身份验证：需要两种方法来对授权用户进行身份验证。 例如，双因素身份验证可能需要用户提供密码以及只有他们知道的信息，或者密码以及电子安全令牌。
透明数据加密 (TDE)：一种加密数据库实际文件而不是数据的方法。 授权用户可以正常访问数据，并且可能不知道 TDE 的使用。 该方法确保能够访问所有数据的入侵者无法读取或使用放置在不同服务器上的数据。
云访问安全代理：在云服务用户和云应用程序之间运行的软件。 该软件监视活动并确保遵循用户的安全策略。
Active Directory 权限管理服务：使用此 Microsoft Windows 安全工具（在 Windows Server 2008 之前称为 Windows 权限管理服务）可帮助组织设置和管理用户对电子邮件、Microsoft Office 文档以及其他信息的访问权限。 Windows 服务器。
大数据安全：大数据是指可以收集、分析和挖掘信息的极大量数据（各种形式）。 Hadoop 是一个开源软件平台，可用于存储和处理极大的数据集。
物联网 (IoT) 数据安全：属于物联网设备的一部分或添加到物联网设备的保护措施。 物联网是嵌入计算设备中的数十亿台日常设备，从冰箱到石油钻井设备。 这些计算机使他们能够发送和接收有助于他们操作的数据。
支付安全、移动应用安全、网络浏览器安全、电子邮件安全：每种计算和数据传输模式都具有特殊的安全功能，可防止未经授权的访问。

Data Security Best Practices 数据安全最佳实践

When it comes to managing your organization data and enhancing its security efforts, there are many steps that you can take to get started. Some of the suggested steps to take include the following:
当涉及到管理您的组织数据和增强其安全工作时，您可以采取许多步骤来开始。建议采取的一些步骤包括：

Understand the data you have, what data is the most sensitive, and how it is being secured. Many organizations don’t fully understand the data they have, how sensitive some of it is, and how it is stored and protected. Therefore, companies should undergo a formal process that provides that understanding, and then perform a risk analysis to determine what data might especially be at risk and how to protect it. Then, establish a data security plan that outlines how your organization will assess and protect its data.

“Never forget what you are really protecting,” says Raef Meeuwisse, author of Cybersecurity for Beginners and the forthcoming book How to Hack a Human. “There is a reason that the discipline is called information security. Yet, in almost 99 percent of audits, I find the organization has no definitive asset list of their information of value. If they don’t know what their information of value is, or where it flows, then of course, they cannot make it secure.”
了解您拥有的数据、哪些数据是最敏感的，以及如何保护这些数据。许多组织并不完全了解他们所拥有的数据、其中一些数据的敏感程度以及它们的存储和保护方式。因此，公司应该经过一个正式的流程，提供这种理解，然后执行风险分析，以确定哪些数据可能特别处于风险中，以及如何保护它。然后，制定数据安全计划，概述您的组织将如何评估和保护其数据。

“永远不要忘记你真正保护的是什么，”Raef Meeuwisse说，他是《初学者的网络安全》和即将出版的新书的作者如何破解一个人。“这门学科被称为信息安全是有原因的。然而，在几乎99%的审计中，我发现组织没有明确的有价值信息的资产列表。如果他们不知道有价值的信息是什么，或者信息流向何处，那么他们当然就无法确保信息的安全。”

Data Security Plan Template 数据安全计划模板

Get started building a data security plan for your organization. The customizable template provides guidance on vital actions your organization should take to help keep its data secure.
开始为您的组织构建数据安全计划。可自定义模板为您的组织应采取的重要操作提供指导，以帮助保持其数据安全。

Collect and keep only the sensitive/private information you need about customers or contacts. Organizations often collect more information from customers and contacts than they actually need, and keep it longer than they need it. Only collect the information you need to help your business, and institute a process that deletes the information when it is no longer needed.
只收集和保存您需要的有关客户或联系人的敏感/私人信息。组织通常会从客户和联系人那里收集到比实际需要更多的信息，并且保存这些信息的时间也比实际需要的时间要长。只收集对业务有帮助的信息，并制定一个流程，在不再需要时删除这些信息。

Establish effective data governance. Data governance is the overall structure that an organization sets up to properly manage its data. That structure establishes the authority and the shared decision-making that are vital to how the organization properly uses and manages its data.
建立有效的数据治理。数据治理是组织为正确管理其数据而建立的总体结构。这种结构建立了对组织如何正确使用和管理其数据至关重要的权威和共享决策。

Data Governance Policy Template 数据治理策略模板

When establishing data quality and reliability standards, you should create a data governance policy that everyone in the organization can follow. You can use this template to build that policy and create standards associated with accessing, storing, and backing up data.
建立数据质量和可靠性标准时，您应该创建一个组织中的每个人都可以遵循的数据治理策略。您可以使用此模板生成该策略，并创建与访问、存储和备份数据相关的标准。

It’s important that your organization explain in writing the policies it has established to keep its data safe, including how it informs people that it is collecting data about them and requests their consent, how sensitive data is provided extra protection, and how employees are expected to appropriately work with data and keep it safe. This template can help you start outlining some of those security policies.

重要的是，您的组织应书面解释其建立的保护数据安全的政策，包括如何告知人们其正在收集有关他们的数据并征求他们的同意，如何为敏感数据提供额外的保护，以及期望员工如何适当地处理数据并确保其安全。此模板可以帮助您开始概述其中的一些安全策略。

Establish password and authentication policies that are rigorous and enhance security. A 2016 Verizon report found that 63 percent of data security intrusions came from passwords that were default passwords, were easily guessable, or were stolen. Requiring effective passwords, and in some cases two-factor authentication, significantly improves your data security.

“For passwords, use something long and easy to remember,” advises the National Cyber Security Alliance’s Schrader, who suggests a several-word phrase that the user will remember. “That makes it hard for a brute force computer to break down."

Herman of RH Strategic also recommends organizations more often use two-factor authentication. That might mean a user needs to quickly identify an image sent, or use a simple code sent to their mobile phone. “Organizations are afraid that it’s going to make it more difficult for employees to access,” Herman explains. “But the truth is it probably adds one second. Maybe over the course of an entire day, it adds a minute.” And, it increases data security tremendously, he says.
建立严格并增强安全性的密码和身份验证策略。Verizon 2016年的一份报告发现，63%的数据安全入侵来自于默认密码，很容易被猜到，或者被窃取。要求有效的密码，在某些情况下还需要双重认证，这样可以显著提高您的数据安全性。

美国国家网络安全联盟的施拉德尔建议说：“密码用长的、容易记的。”他还建议用几个单词组成的短语，这样用户就能记住了。“这样一来，蛮力破解的电脑就很难崩溃了。”

RH Strategic的Herman还建议组织更多地使用双因素身份验证。这可能意味着用户需要快速识别发送的图像，或使用发送到其移动电话的简单代码。Herman解释说：“组织担心这会使员工更难访问。”“但事实是，它可能增加了一秒钟。也许在一整天的时间里，它会增加一分钟。” 而且，它极大地提高了数据安全性，他说。

Educate employees: Everyone is a part of data security. Data security is a job for people far beyond your IT department. All employees should read and understand your organization’s policies on data security. You should try to ensure that all employees understand, among other things, what data is confidential and what rules they must follow in accessing your network — including from remote locations. They should also understand threats of phishing emails and social media accounts.

Establish policies on mobile phones and other mobile devices. Mobile devices — especially the mobile phones that all of your employees use every day — can represent a significant threat to your system’s data security. If your organization provides your employees with mobile phones or other mobile devices, you should set policies on how they can be used and when, if ever, those employees can install outside applications to the devices. If you allow employees to use their own devices to access company data or the company email system, you should have a process to ensure those devices have adequate encryption and other security measures in place so they are not a threat to your organization’s data.

Protect all data by default. A significant problem with data security is that once an intruder breaks through the outer “wall” into a computer network, he or she often has easy access to the data within that system. More and more experts are recommending better security throughout the system. For example, transparent data encryption ensures that the actual files and organizational structure of a database are encrypted — not just the data. Organizations are also creating a safe zone, where only applications and computers they trust are allowed access to the data. They “trust” based on digital analysis of the user’s apparent identity, location, and other distinguishing data.

教育员工：每个人都是数据安全的一部分。 数据安全是 IT 部门之外的人员的工作。 所有员工都应阅读并理解组织的数据安全政策。 您应该尽力确保所有员工了解哪些数据是机密数据以及他们在访问您的网络（包括从远程位置）时必须遵循哪些规则。 他们还应该了解网络钓鱼电子邮件和社交媒体帐户的威胁。

制定有关移动电话和其他移动设备的政策。 移动设备（尤其是所有员工每天使用的移动电话）可能会对系统的数据安全构成重大威胁。 如果您的组织为员工提供移动电话或其他移动设备，您应该就如何使用这些设备以及这些员工何时（如果有）可以在设备上安装外部应用程序制定策略。 如果您允许员工使用自己的设备访问公司数据或公司电子邮件系统，您应该制定一个流程来确保这些设备具有足够的加密和其他安全措施，以免它们对您组织的数据构成威胁。

默认保护所有数据。 数据安全的一个重要问题是，一旦入侵者突破外“墙”进入计算机网络，他或她通常可以轻松访问该系统内的数据。 越来越多的专家建议提高整个系统的安全性。 例如，透明数据加密可确保数据库的实际文件和组织结构得到加密，而不仅仅是数据。 组织还创建了一个安全区域，只有他们信任的应用程序和计算机才允许访问数据。 他们的“信任”基于对用户明显身份、位置和其他区别数据的数字分析。

Use an ad blocker on every device your network. Not only will an ad blocker make employees more productive, but it will also ensure that employees don’t inadvertently open a pop-up ad that could be fraudulent and lead to a data breach.

Stay updated on known vulnerabilities. Computer experts throughout the world are always finding new vulnerabilities to computer networks and software. It’s also a good idea to continually stay updated on those known vulnerabilities.

Stay apprised of the latest data security threats worldwide. Beyond known vulnerabilities, your IT professionals should stay updated on all of the latest data security threats known worldwide. Free online community forums and resources like CVE can help.

Hire a hacker. Even companies that think they’re doing a good job with data security cannot trust that their system is secure — they should continually and intensively test that security. Many organizations actually hire “white hat” hackers to attack their networks to see what weaknesses a hacking expert would be able to find and exploit.

Immediately fix any vulnerabilities you discover. Keeping track of your possible vulnerabilities and data security issues in general will do no good if you delay in acting on what you find. Experts suggest you ensure your team quickly implements software updates that will have patches to known vulnerabilities and immediately make other needed fixes after checking your own system’s vulnerabilities and as your IT experts keep track of data security in general.

Have an emergency plan and follow it closely after any data breach. The Ponemon Institute’s annual “Cost of Data Breach Study” has routinely found that the most important factor in lowering costs from a data breach are discovering it and fixing it as quickly as possible. That means continual monitoring of your system and having an incident team ready — either an internal team or external group contracted to immediately help. You might consider performing a test drill with a simulated attack to see how well your response plan works.

在网络中的每台设备上使用广告拦截器。 广告拦截器不仅可以提高员工的工作效率，还可以确保员工不会无意中打开可能具有欺诈性并导致数据泄露的弹出广告。

随时了解已知漏洞的最新情况。 世界各地的计算机专家总是在寻找计算机网络和软件的新漏洞。 持续了解这些已知漏洞的最新情况也是一个好主意。

随时了解全球最新的数据安全威胁。 除了已知漏洞之外，您的 IT 专业人员还应该随时了解全球已知的所有最新数据安全威胁。 免费在线社区论坛和 CVE 等资源可以提供帮助。

雇用一名黑客。 即使是那些认为自己在数据安全方面做得很好的公司也不能相信他们的系统是安全的——他们应该不断地、深入地测试这种安全性。 许多组织实际上雇佣“白帽”黑客来攻击他们的网络，以了解黑客专家能够发现和利用哪些弱点。

立即修复您发现的任何漏洞。 如果您延迟对发现的问题采取行动，那么跟踪可能存在的漏洞和数据安全问题通常不会有任何好处。 专家建议您确保您的团队快速实施软件更新，为已知漏洞提供补丁，并在检查您自己的系统漏洞后立即进行其他所需的修复，并且您的 IT 专家通常会跟踪数据安全情况。

制定应急计划并在发生任何数据泄露后严格遵循该计划。 波耐蒙研究所的年度“数据泄露成本研究”通常发现，降低数据泄露成本的最重要因素是尽快发现并修复它。 这意味着要持续监控您的系统，并准备好一个事件团队——无论是内部团队还是外部团队，都可以立即提供帮助。 您可以考虑通过模拟攻击进行测试演练，以了解您的响应计划的效果如何。

What Are Data Security Standards? 什么是数据安全标准？

Data security standards are rules that apply to data security within some countries, governmental organizations, and industries. There are also standards — for instance the ISO/IEC 27001, from the International Organization of Standards — that are voluntary but specify in detail best practices to keep data secure. Organizations that apply the standards can receive special certification.
Some notable standards:
FIPS 200: FIPS 200 (which stands for federal information processing standards) sets minimum security requirements for the U.S. government’s information systems.

NIST 800-53: Originated from the National Institute of Standards and Technology, NIST 800-53 sets detailed cybersecurity guidelines that supplement FIPS 200. The guidelines are voluntary but are commonly followed by many organizations.

PCI DSS: Standards for the payment card industry that try to ensure data security of holders of credit and debit cards.
数据安全标准是一些国家、政府组织和行业内适用于数据安全的规则。还有一些标准——例如国际标准化组织（International Organization of Standards）的ISO/IEC 27001——是自愿性的，但详细规定了保持数据安全的最佳做法。应用标准的组织可以获得特殊认证。
一些值得注意的标准：
FIPS 200：FIPS 200（代表联邦信息处理标准）为美国政府的信息系统设定了最低安全要求。
NIST 800-53:源自美国国家标准与技术研究院，NIST 800-53制定了详细的网络安全指南，作为FIPS 200的补充。这些准则是自愿的，但许多组织都普遍遵循。
PCI DSS:支付卡行业的标准，旨在确保信用卡和借记卡持有人的数据安全。

Laws That Govern Data Security 管理数据安全的法律

A number of countries, including the US, have enacted various laws that govern data security in certain jurisdictions and within certain industries. Below are some notable examples. Please keep in mind that the information below is provided for informational and educational purposes only and is not intended as legal advice — you should consult with your own attorney to determine if and how these laws apply to you. You should not rely on this as legal advice or as a recommendation of any particular legal understanding.

The UK Data Protection Act of 1998: The United Kingdom Parliament approved a law requiring certain data security measures to protect personal data stored on computers.

Gramm-Leach-Bliley Act: This law, passed by the U.S. Congress in 1999, included a number of major provisions dealing with banks and financial institutions. An important provision requires financial institutions, including investment advisers and insurance companies, to safeguard sensitive personal data, explain to customers how they share information and how customers can prohibit their information from being shared.

Health Insurance Portability and Accountability Act (HIPAA): This U.S. federal law, governing health institutions and those who do business with them, includes a privacy rule that requires certain data security safeguards to protect people’s personal health information.

Health Breach Notification Rule: This U.S. federal law governs businesses that may How do you normally handle the disclaimer language?have individual personal health information but aren’t governed by HIPAA. It requires those businesses to notify their customers, the Federal Trade Commission, and in some cases the media if there’s a breach of that health information.

New York State Cybersecurity Regulations: Beginning in 2017, financial institutions regulated by the New York Department of Financial Services are required to have comprehensive security in place to protect their customers’ private data.

General Data Protection Regulation of the European Union (EU): This regulation, which is also known as GDPR, went into effect on May 25, 2018, and requires that organizations that process personally identifiable information of individuals take certain measures to ensure individuals know what information about them is being collected and that they consent to the collection, use, and processing of that information. The GDPR also grants individuals a number of rights in relation to their data including the right to be informed, right of access, right of rectification, right to erasure, right to restrict processing, right to data portability, right to object, and right in relation to automated decision making and profiling. Since the regulation applies to any entity that has personal information on a resident of the 28 countries of the EU, it is in effect a worldwide regulation and will govern most multinational corporations, including companies like Facebook and Google.

包括美国在内的许多国家已经颁布了各种法律来管理某些司法管辖区和某些行业内的数据安全。 以下是一些值得注意的例子。 请记住，以下信息仅供参考和教育目的，并不作为法律建议——您应该咨询您自己的律师，以确定这些法律是否以及如何适用于您。 您不应将此作为法律建议或任何特定法律理解的建议。

1998 年英国数据保护法案：英国议会批准了一项法律，要求采取某些数据安全措施来保护计算机上存储的个人数据。

Gramm-Leach-Bliley 法案：该法律于 1999 年由美国国会通过，其中包括许多涉及银行和金融机构的主要条款。 一项重要条款要求包括投资顾问和保险公司在内的金融机构保护敏感个人数据，向客户解释他们如何共享信息以及客户如何禁止他们的信息被共享。

健康保险流通与责任法案 (HIPAA)：这项美国联邦法律管辖医疗机构及其与之开展业务的人员，其中包括一项隐私规则，要求采取某些数据安全保障措施来保护人们的个人健康信息。

健康违规通知规则：这项美国联邦法律管辖可能拥有个人健康信息但不受 HIPAA 管辖的企业。 如果健康信息遭到泄露，它要求这些企业通知其客户、联邦贸易委员会，在某些情况下还要通知媒体。

纽约州网络安全法规：从 2017 年开始，纽约金融服务部监管的金融机构必须采取全面的安全措施来保护客户的私人数据。

欧盟 (EU) 通用数据保护条例：该条例也称为 GDPR，于 2018 年 5 月 25 日生效，要求处理个人身份信息的组织采取某些措施，以确保个人了解哪些信息 正在收集有关他们的信息，并且他们同意收集、使用和处理该信息。 GDPR 还授予个人与其数据相关的多项权利，包括知情权、访问权、纠正权、删除权、限制处理权、数据可移植权、反对权和反对权。 与自动化决策和分析相关。 由于该法规适用于拥有欧盟 28 个国家居民个人信息的任何实体，因此它实际上是一项全球性法规，并将管辖大多数跨国公司，包括 Facebook 和 Google 等公司。

Understanding the Difference Between Data Security and Privacy 了解数据安全和隐私之间的区别

Data security and privacy are closely intertwined. But the idea of privacy is larger than simple data security, and it’s important to understand the difference.

Your organization can comply with all rules and regulations relating to keeping data secure. But it can still then use people’s personal data — tracking their location, gathering information on people in their electronic address books, tracking their emails — in a way that some people believe violates their privacy. Your organization should have policies on how personal information is used, how people are told their information is being used, and how they can give, decline or revoke their consent.
数据安全和隐私紧密相连。 但隐私的概念比简单的数据安全更重要，理解其中的差异很重要。

您的组织可以遵守与保护数据安全相关的所有规则和法规。 但它仍然可以使用人们的个人数据——跟踪他们的位置、收集电子通讯簿中的人员信息、跟踪他们的电子邮件——以一些人认为侵犯他们隐私的方式。 您的组织应该制定关于如何使用个人信息、如何告知人们他们的信息正在被使用以及他们如何给予、拒绝或撤销同意的政策。

Improve Information and Data Security with Smartsheet 利用Smartsheet提高信息和数据安全性

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.
Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, templates, or related graphics contained on the website. Any reliance you place on such information is therefore strictly at your own risk. 
These templates are provided as samples only. These templates are in no way meant as legal or compliance advice. Users of these templates must determine what information is necessary and needed to accomplish their objectives.
借助专为满足团队需求而设计的灵活平台，并根据这些需求的变化进行调整，让您的员工能够超越自我。
Smartsheet平台让您可以随时随地轻松规划、捕获、管理和报告工作，帮助您的团队提高效率，完成更多工作。通过汇总报告、仪表板和自动化工作流，报告关键指标并实时了解工作情况，让您的团队保持联系并获得信息。
当团队对要完成的工作有清晰的认识时，没有人知道他们可以在相同的时间内完成更多的工作。立即免费试用Smartsheet。
Smartsheet在网站上提供的任何文章、模板或信息仅供参考。在我们努力保持信息的最新和正确的同时，我们没有对网站的完整性、准确性、可靠性、适宜性或可用性或网站上包含的信息、文章、模板或相关图形的完整性、准确性、可靠性、适宜性或可用性作出任何类型的明示或暗示的陈述或保证。因此，您对此类信息的任何依赖均由您自行承担风险。
这些模板仅作为示例提供。这些模板绝不意味着法律或合规建议。这些模板的用户必须确定什么信息是必要的，需要完成他们的目标。