Integration project framework: data security
The second step in building your integration project framework is focusing on data security.
The goal of this step is to understand the type of data you're integrating and the requirements around securely exchanging this information. Integrating personally identifiable information (PII) versus summarized time data is much different. The former has many more requirements for you to consider.
If you've lived under a rock over the past 15-20 years, you're not aware of terms such as data breach, cyberattack, etc... You're also not aware of numerous legal statues created to protect sensitive information.
We assume you're like 99% of us, you're not in that group and you're not an expert when it comes to data security either. The good news is you don't need to be an expert to understand the basics of data security and how it impacts your integration project.
Simply put, you need to make sure if your integration does include PII, proper security measures are put in place. Here's a good set of Cliffsnotes if you do have PII:
Ensure that data is transmitted over encrypted channels (https, SFTP, etc...) or data is encrypted (using PGP or other industry recommended encryption algorithm) when transmitted over unencrypted channels (http, ftp, etc...).
Standard email is not a secure transmission channel. Please don't ever email unencrypted PII data over email. We can't tell you how many times we see this happen.
When using encryption, the larger the key size, the higher level of encryption used. A 256 bit key is significantly more secure than a 128 bit key.
If an intermediary data story is utilized in your integration, ensure the data is encrypted at rest and there are retention policies in place for data deletion. For example, in detamoov all data transmitted through the platform is encrypted at rest and each detamoov customer can customize their own data retention policy.
If you don't need to store PII in an intermediary data store, don't do it!
How to achieve your goal
To achieve your data security goal, you must first answer this question:
"Is there any PII in the data I'm integrating?"
If no, move on!
If yes, your job gets harder where you'll need to answer these questions:
What security measures are in place to protect data in transport?
What security measures are in place to project data at rest?
What legal statutes must I be in compliance with? Keep in mind, it's not just federal statutes, many states have their own you need to be aware of.
Will I be in compliance with my internal information security plan?
Will I be in compliance with my data security insurance policy?