1
Practical Considerations for Privacy & Security Due Diligence
Agenda
Introductions
3rd Party Risk Due Diligence Best Practices Questionnaires On-Site Reviews
Q&A
Page 2
Page 4
Personal Lines
Middle Market
Retirement
Mutual Funds
Specialty
Small Commercial
Group Benefits
Individual Life
Annuities
Page 5
Malicious Cyber-Attacks
Global Consumer Electronics Firm: Hackers stole customer data, including credit card information 100 million records
Lost/Stolen Assets
CommunityBased Healthcare Plan: Laptops with patient data stolen by former employee 208,000 records
The multitude of breach regulations dont care how the data was lost. You are subject to the same requirements.
Page 6
RD 3
PARTY RISK
Questionnaire
On-Site Visits
Certifications
Annual Audits
Page 8
POLL
Page 10
Access Control
Compliance Business Continuity and Disaster Recovery
Page 11
POLL
Page 13
Verify key physical security and environmental controls in place Verify that security requirements detailed in the Statement of Work are implemented.
Page 14
Top Questions
1.Do comprehensive information security policies exist that all employees must read and accept?
2.Are all employees and contractors with access to Company data required to take information security awareness training?
3.Are there processes in place that ensure access to Company data is authorized and granted in the most restrictive manner possible and limited to those having a business need for such authorization? 4.Is access to Company data contingent on a thorough criminal background history investigation performed using an accredited personnel investigation agency? 5.Are physical security measures in place to control physical access to systems or output that contain Company data?
Page 15
Page 17
Legal/Compliance Risk
What contractual provisions required to ensure proper resolution of disputes? If local laws create requirements are they consistent with the provisions the Company applies to its US based service providers? What is the process under local laws for responding to access requests by individuals, subpoenas or other requests for disclosure from governmental agencies?
Security Controls
Can the vendor reasonably be expected to satisfy stricter or rapidly evolving standards for data security? Is the vendor transferring data to other locations or countries?
Page 18
Page 19
QUESTIONS
Next Webinar
Canadian Breach Regulations Next Thursday, 10/25 @ 1 PM Invites with more info and registration information in the next day or two
Page 21
Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors Choice.
PC MAGAZINE, EDITORS CHOICE