Healthcare Matters October 2011
by Tim Wright, Senior Manager
No organisation can survive without data, and the hospitality industry is no exception. There must be appropriate controls in place to cover the confidentiality of data (so that it is only seen and used by those authorised to do so); its integrity (so that the data is completely reliable); and its availability (so that it may be used when required).
Some of these controls are mandatory. Thus, for example, the Data Protection Act 1998 (DPA) covers how you acquire personal data, how you use it, where and how you store it, how long you keep it, who has access to it, etc. It’s also important to ensure that your business is appropriately registered with the Office of the Information Commissioner.
Any processing of credit or debit card payments immediately makes an organisation contractually obliged to abide by each of the 288 controls of the Payment Card Industry Data Security Standard (DSS). These cover many aspects of security, from having an adequate policy and awareness framework to proper systems access controls and monitoring.
What are the associated risks? Potentially there might be a heavy financial penalty for breaching the DPA; or sanctions ranging from raised transaction charges to withdrawal of card processing facilities for non-compliance with the DSS. But these consequences can pale into insignificance compared with the severe reputational impact which may be associated with a lack of adequate control. The road to insolvency is littered with organisations whose reputation suffered irreparable damage as a result of some control failure.
The lack of appropriate availability of reliable data may well be literally the difference between life and death for any organisation. It is thus absolutely vital that data backups are taken regularly, and they should be tested just as regularly. You don’t want to wait until you need to restore some backed up data to discover that the particular folder in question wasn’t being backed up at all, or that the backup data has been corrupted in some way. And don’t store the data in the same place as the original; it needs to taken somewhere else either electronically (some sort of “cloud” solution – there are many inexpensive options) or physically.
Many businesses in the hospitality industry would not employ a specialist in information security, but you should consider employing external help on an as-needed basis.
These specialists will be able to analyse your processes and infrastructure, and advise on those policies, standards and procedures which need introduction or amendment. They can assist in the implementation of controls which will work effectively within your organisation, taking into consideration any existing culture and compliance framework. Employing specialists like this may seem an expensive way forward; but when you consider the alternatives, it is likely to prove a wise investment.
Even if you outsource your IT – or part of it, for example using “cloud” services to store your data – you cannot outsource your responsibility for having an adequate governance and control framework in place. It is extremely important to ensure that your suppliers are contractually obliged to operate and monitor appropriate security measures which you specify. This should form part of the regular reporting which takes place as part of the ongoing relationship management.
Consideration of emerging technologies, such as the cloud mentioned above or use of mobile devices – iPads and the like, should be informed by a proper understanding of the associated risks. What impact could there be on the confidentiality, integrity or availability of your data? If you cannot answer these questions satisfactorily and confidently, maybe you should be going down a different path.
