4. Data access and user rights. All internal and external access to an SFO's business applications and communications network must be controlled by the SFO and/or its hosting service provider. SFOs must consider where best to utilize both hardware/software security devices and encryption technology. Users should have access to only those systems and to specific data that is required to perform their duties. Staff members should be reminded to keep their passwords and IDs confidential.
5. Attacks on information technology systems. It's important to be able to identify and assess the seriousness of potential security system breaches. System logs should be in place and reviewed daily by SFOs and/or their hosting service.
6. Data backup. Some SFOs have data backup procedures that are inconsistent with protecting privacy and confidentiality. For example, SFOs may back up key data, but the backup disk or tape that contains private information may not be kept secure. It may be taken home by a staff member, where it can get lost, stolen or copied. SFOs should approach data backup in a more secure manner.
The Workplace
Protecting privacy and confidentiality in the workplace begins with people. Hiring practices and background and reference checks are important. Employees should also be trained to deal with security issues. SFOs are usually very selective when hiring new employees, but they need to go further when it comes to raising their employees' awareness about what to do to protect private and confidential information.
SFOs need to consider the following workplace controls:
1. General office security. SFOs should evaluate their office security, including staff, vendor and visitor access to both the general premises and specific areas of the office. It is important to limit access to areas of the office where private and confidential information is accessible.
2. Work area policy.
How are documents that contain sensitive information discarded?
Do printer and copier areas and conference rooms get cluttered with documents that contain sensitive information?
Do employees keep passwords, account numbers and other sensitive information on Post-it notes taped to their PCs?
Are physical files kept under lock and key? Who has access?
Are electronic files restricted to only those individuals that need to know?
Is there a shredding policy?
3. Staff training. SFOs should have a written policy and an introductory training session for employees that clearly explain what the expectations are regarding the safeguarding of sensitive information.
Many of the recommendations highlighted above can be implemented by SFOs in a relatively simple manner. SFOs should evaluate their current level of security and determine what steps they may need to take in order to enhance their ability to protect the privacy and confidentiality of their family members.
Jim Campbell ([email protected]) is a partner at Windward Advisory Group, a family office technology consultant in Princeton, N.J.