TRUSTe, a non-profit online privacy leader, has just issued its first set of data security guidelines to assist companies evaluating new or existing policies for safeguarding personal information of consumers and employees. TRUSTe states that it has "answer(ed) the call for comprehensive real-world measures providing application-appropriate strategies for strict data security." TRUSTe's guidelines cover three primary areas: technical security, administrative controls, and physical controls.

With respect to technical security, TRUSTe provides guidance as to how to: (a) control access to sensitive information that resides on data storage devices such as servers, desktops, PCs, laptops, and PDAs ; (b) establish password usage policies that encompass specified rules; (c) control access to sensitive information that can be displayed, printed, or downloaded to external storage devices, especially desktop PCs, laptops or PDA computers; (d) monitor user accounts to identify and eliminate inactive users; (e) ensure sufficient safeguards over transmission and storage of sensitive data; (f) configure all servers, desktop PCS, and laptops prior to use; (g) configure firewalls to provide maximum protection over sensitive information, while balancing business needs with reasonable security; (h) install and configure anti-virus and anti-spyware software to provide maximum protection over sensitive information on all servers, desktop PCs, and laptops; (i) implement security software updates and patches in a timely manner; (j) use monitoring and control procedures to assess threats, vulnerabilities and risk to enterprise systems and networks; and (k) sanitize all data storage media before reuse, disposal or retirement of electronic storage equipment.

When it comes to administrative controls, TRUSTe offers advice in terms of: (a) establishing a security committee; (b) setting up a formal, written security policy and detailed standard operating procedures; (c) conducting ongoing security risk assessments; (d) requiring a system security plan for every major system and network; (3) establishing contingency plan, including maintenance of access controls; (f) integrating security throughout the system life cycle; (g) setting up formal data backup processes; (h) putting in place a security auditing process; (i) documenting all system and network configurations; (j) implementing employee awareness and training programs; (k) establishing special procedures for outsourced IT or data management activities; and (l) setting up an incident investigation and notification mechanism.

As far as physical controls, TRUSTe gives guidance with respect to: (a) monitoring legitimate use and access; (b) establishing physical access controls; (c) installing secure checkpoint review and monitoring procedures; (d) securing the data facility, including all storage devices and computer equipment; and (e) installing and maintaining reasonable environmental protections over all data center assets.

The complete guidelines can be accessed at http://www.truste.org/pdf/SecurityGuidelines.pdf. These guidelines certainly are worthy of a read. What do you have to lose, except, in the absence of proper procedures, personally identifiable information?

Eric Sinrod is a partner in the San Francisco office of Duane Morris (www.duanemorris.com), where he focuses on litigation matters of various types, including information technology disputes. His column appears Wednesdays at USATODAY.com. His Web site is www.sinrodlaw.com, and he can be reached at . To receive a weekly e-mail link to Mr. Sinrod's columns, please send an e-mail with the word Subscribe in the Subject line to .

Reprinted here with permission from USAToday.com.