To assist in the development and implementation of an
effective security strategy plan and incident response plan, organizations
are encouraged to audit their level of preparedness by surveying their team
and vendors with the following questions
Do you know what sensitive information is maintained,
where it is stored and how it is kept secure? Do you have an accounting
of all information stored including backups and archived data?
Do you know what data elements or attributes are
Who has access to each data set and data elements?
Is access limited by account or client responsibility? (Limited vs
administrative rights, read only, etc.)
How do you provision new user accounts, audit user
rights and revoke them on job changes or termination? Do you have a
comprehensive password management system?
Do you have intrusion detection systems? How often
do you review and test them?
How do you monitor outbound systems for abnormal or
What logs are maintained, how are they secured and
used for intrusion detection? Do you have a process and procedure for
Is your definition of personal information current
and in line with both applicable industry regulation and customerís
Do you have a trained incident response team in place
ready to respond 24/7?
Is your executive management aware of security,
privacy and regulatory requirements related specifically to your
business (including breach notifications requirements in the US, Canada
and the EU)?
Have you conducted a comprehensive audit of your data
flows across the enterprise and vendors including a privacy and security
review of all data collection and management activities?
Are security disclosures and requirements included in
your terms of service and service contract with customers and vendors?
Do your contractual requirements account for exceptional risk and
liability due to nature of the work or service provided by third party
Are you prepared to communicate to customers,
partners, shareholders and the community at large in the event of a data
Are employees equipped to notify management of
security incidents, including intrusion, breach, data misuse or data
Have you coordinated with all departments with
respect to an data loss incident? (for example information technology,
corporate security, marketing, governance, fraud prevention, compliance,
HR and regulatory teams) with respect to breach readiness?
Have you developed relationships with law enforcement
and forensics services in advance of an incident and understand their
data requirements and how to work with them?
Do you have a privacy review and audit system in
place for all data collection, storage, manipulation or usage
activities, including those of third-party service providers and
partners? Have you taken necessary or reasonable steps to protect
customer confidential data?
What processes do you have in place for data
minimization, secure archiving and data destruction?
provide an ability to examine customer data files and share information
with forensics specialists and law enforcement officials and to
investigate reports of misuse?
Have you developed a mutual understanding with your
service providers of the security requirements they must adhere to in
managing or processing your data?