Ten Commandments of Digital Protection

Reduce the risk of attackers accessing critical systems and sensitive data and prevent harmful and wrongful acts from occurring.

Does security around your systems and sensitive data need to be evangelized further within your organization, as well as across your customer base and their users? Is your business tempting the digital souls of both insiders and hackers by not committing to rigorous security practices that can thwart wicked attacks and breaches?

In times of unease or danger, we often turn to higher powers for protection from physical or spiritual harm, and sometimes even for protection from misguided souls wishing to harm us. Digital protection of systems and sensitive data is no different. The constant battle between good and evil, darkness and light must be won. Sure, praying can help, but what can be done to protect your customers, their users and your business from nefarious activities?

These 10 Digital Protection Commandments should be solidly in place:

    1. You shall not allow access to your system unless users are first validated by one method and then another (multi-factor authentication).
    2. You shall not trust what you cannot first verify by independent methods, granting no one system access without following established procedures for which there are no exceptions, not even for the CEO.
    3. You shall implement the Principle of Least Privilege (POLP) by allowing users to have only enough access to perform necessary tasks or functions, and nothing more.
    4. You shall remind users to frequently update passwords and keep them sacred, not sharing them with others, not even with administrators or managers.
    5. You shall create code according to established security procedures, such as the Open Web Application Security Project (OWASP), which has been blessed as a framework best practice.
    6. You shall kill all processes not required for system operation before placing new software revisions into production.
    7. You shall implement Separation of Duties (SoD) controls, allowing code to be released into production only after being reviewed and approved by at least two independent parties.
    8. You shall design both active and passive defenses for each layer specified by the Open Systems Interconnection (OSI) model when creating new functions, codes or procedures, whether for an application programming interface (API) or distributed application.
    9. You shall enumerate your systems and count risks for each, developing a sound plan to address issues before your enemies find them first.
    10. You shall ensure all security measures remain in full force, seven days a week, 24 hours a day, even during holidays.

Data security and system integrity is a practice of faith. It should be part of who you are and what you do day in and day out, not just on holidays, for releases, after data breaches or during audits. The ultimate goal is to reduce the risk of attackers gaining access to critical systems and sensitive data to prevent harmful and wrongful acts from occurring. These Commandments should give you the guidance to do just that!


Darrel Anderson is a sought-after consultant in the payments and privacy industries, providing advice and guidance to some of the largest processors, gateways and retail merchants in the world. He currently is president of Conformance Technologies, a fast-growing provider of solutions designed to effectively assess and monitor risk and compliance for small and midsize businesses, while reducing the effort and complexity surrounding these tasks. He can be reached at danderson@conformancetech.com.