How to prevent a data security breach

PURPOSE

Review the security training program available at Mister and understand why data security it important.

PEOPLE

Hackers target employees because it is easier than trying to break into a network. The security training program at Mister Car Wash stresses why security is important. By understanding the WHY, we believe that even when people forget the HOW, they will ask for help instead of putting the company at risk.

Security Awareness Training (Mister Learn)
- This training teaches employees why and how to protect sensitive data, social engineering, how to spot phishing emails as well as other strategies for staying safe on computers, mobile devices, and in the office.
Payment Card Industry DSS Compliance (Mister Learn)
- This training teaches how to protect consumer credit card data as well as the legal requirements around credit card protection.
Security Awareness 101 (Instructor-Led)
- This training program teaches employees how to create a secure password, why multi-factor authentication is important, what and how to protect sensitive information.
Ownership
- IT develops and/or finds training
- Department heads are accountable for employee participation
Reference
- Security Awareness Training Policy

PROCESS

Employees need to take careful and deliberate steps to view and share Mister Car Wash information to protect our employees, customers and the company.

Multi-factor authentication
- The process of verifying that an employee is who they say they are before accessing data is the number one way to prevent bad actors from getting access to sensitive information.
Centralize sensitive data instead of distributing through email
- Minimizing the number of locations where bad actors can gain access to sensitive data reduces the risk. The most secure method to share information is to centralize the data and provide secure means for access.
Secure and Encrypt sensitive data
- The process of securing data will help to keep bad actors from gaining access.
Ownership
- IT works with business owners to develop secure processes
- Department heads are accountable for employee compliance
Reference
- Data Classification Standards Policy – Categorizes data so employees can refer to the document to determine which types of data needs to be protected as well as whether it needs to be encrypted and/or password protected.

TECHNOLOGY

The technology includes the third-party applications, tools and network protections we apply.

Dayforce, ICIMs (HR)
- Limit access to employees with a documented need for access to employees’ information Mask sensitive data in the application and on exports (ie replace digits with ‘X’)
- Encrypt and password protect all sensitive information
Oracle (Accounting, Finance)
- Mask, encrypt and password protect all sensitive information
O365 (email and document storage)
- Configure tools to search for sensitive information and notify user if data is not protected
Ownership
- Department heads are accountable for employee compliance
Reference
- O365 Security and Compliance Center