The NCSC have a wealth of guidance on best practice (https://www.ncsc.gov.uk/) particularly on safeguarding and protecting the privacy when huge amounts of data are stored and processed. These include:

​

1. cataloguing your data;

2. ensuring you only keep data necessary for your business;

3. awareness of any vulnerabilities;

4. employ access control based on least privilege;

5. employ strong identity and authentication for privileged users;

6. employ strong supplier/third party management (there is more of this under the GDPR banner on this site);

7. there is an audit trail - you log access to data;

8. Software development is secure (Dev-Sec-Ops) - test 3rd Party software against OWASP Top 10;

9. Don't use unsupported software;

10. employ a protective monitoring regime to detect cyber-attacks AND internal attacks;

11. Incorporate automatic alerts if compromise is detected;

12. All access processes are controlled - restrain bulk access - check interfaces of access;

13. Restrict user rights from accessing large quantities of records at once, reduce search capabilities;

14. Protect administrator accounts from cyber compromise;

15. Ensure integrity of Back Ups.

 

Unfortunately some of the guidance is disjointed and hard to find (I understand the search engine is due for improvement), so I have provided more detail on these guidelines in the PDF.  Please feel free to open and download for future reference.

​