Swiss National Life

Keep you company protected from cyber crime

Data Breach and Privacy Violations

1. Data Protection & Classification Policy

  • Classify data into levels (e.g., public, internal, confidential, highly confidential).
  • Implement access controls based on data sensitivity.
  • Require encryption for confidential and highly confidential data.
  • Define data retention and disposal procedures.

2. Access Control & Least Privilege Policy

  • Follow the principle of least privilege (PoLP)—only provide employees access to the data they need.
  • Use role-based access control (RBAC) to manage permissions.
  • Require strong, unique passwords and multi-factor authentication (MFA) for access to sensitive data.
  • Regularly review and update user access rights.

3. Incident Response & Data Breach Policy

  • Establish a clear Incident Response Plan (IRP) with roles and responsibilities.
  • Define steps for identifying, containing, eradicating, and recovering from a breach.
  • Require mandatory reporting of security incidents within a set timeframe.
  • Ensure compliance with regulatory breach notification laws (e.g., GDPR, HIPAA, CCPA).

4. Employee Cybersecurity Training & Awareness Policy

  • Conduct regular cybersecurity training for all employees.
  • Include phishing simulations to educate employees on common attack methods.
  • Establish a culture of security awareness by encouraging employees to report suspicious activity.
  • Require annual security policy acknowledgment and testing.

5. Third-Party Vendor Security Policy

  • Assess third-party vendors’ security posture before granting them access to company systems.
  • Require vendors to adhere to company security policies and comply with data protection laws.
  • Include data protection clauses in vendor contracts (e.g., data processing agreements).
  • Limit vendor access to only necessary data and services.

6. Bring Your Own Device (BYOD) & Remote Work Security Policy

  • Require company-approved security software on personal devices used for work.
  • Mandate VPN usage when accessing corporate networks remotely.
  • Prohibit storage of confidential company data on unsecured personal devices.
  • Implement remote wipe capabilities for lost or stolen devices.

7. Encryption & Secure Communication Policy

  • Enforce end-to-end encryption for emails, cloud storage, and sensitive data transfers.
  • Use secure file-sharing platforms instead of email attachments.
  • Prohibit public Wi-Fi usage for accessing confidential data without a VPN.
  • Mandate secure password managers for storing credentials.

8. Password & Authentication Policy

  • Require strong passwords (e.g., at least 12+ characters, mix of letters, numbers, and symbols).
  • Implement Multi-Factor Authentication (MFA) for all critical accounts.
  • Enforce password expiration and rotation policies.
  • Ban password reuse across multiple accounts.

9. Data Retention & Secure Disposal Policy

  • Define retention periods for different types of data (e.g., HR records, financial data).
  • Regularly review and delete unnecessary data to minimize breach risk.
  • Use secure deletion methods (e.g., data shredding, secure wipe tools).
  • Require physical destruction of hard drives when decommissioning hardware.

10. Physical Security & Workspace Clean Desk Policy

  • Restrict physical access to data centers and sensitive workspaces.
  • Implement visitor access logs and escort requirements.
  • Require employees to lock their computers when stepping away.
  • Prohibit writing passwords on sticky notes or storing sensitive documents openly.