Internet/Network Security/Business Network Security
Our data auditing business audits data that is moderately sensitive, but contains no identity theft type information. We encrypt the data on our PC's. We do not host any servers or web sites. We work from multiple locations. Each has a hardware firewall.
Do we have a reasonable level of security, or is there something we are missing?
ANSWER: Your question is a good one but it can't be answered based on the information given. Securing a system requires addressing each aspect that can effect confidentiality, integrity and availability of the information. To get an idea of how much information is missing, compare what you've told me here, with the minimum applicable category in NIST 800-53.
If you can be more specific perhaps there's a better answer.
---------- FOLLOW-UP ----------
QUESTION: To be more specific: Hospitals send me records of test result notifications. Thesee records do not contain private patient information, but they do contain patient names. I create a report and send it to the hospital. I've complied with the hospitals's business associate agreement.
I have a hardware firewall, and keep the data encrypted. Is this sufficent security, or do I need more protection?
This isn't legal advice nor is it specific enough to be considered professional advice for your situation.
You have an agreement with the data owner. Add a clause that indemnifies you from liability if you're compliant with what they require. Then obtain written evidence that you comply with what they require. (If they require you to comply with a legislative requirement then you can be audited by a third party. If they use their own set of requirements, they may have to audit you).
If you're looking for an answer that gives technical details about the right thing to do for your situation you need a professional opinion. I can't give you one without auditing you. It sounds as though you may need to comply with HIPPA. If this is true then you need to comply with HIPPA in order to prevent the risk of fines associated with being non-compliant. Perhaps this is possible by obtaining insurance against the possible loss. It's also important to understand "encryption" doesn't mean anything specific. Some people think a hash is encryption; it is not. The best encryption algorithm needs to be implemented properly if its going to be effective. Many of the well-known problems associated with wireless networking are a result of poor/incorrect implementation.
Hope this helps.