ALTA Best Practice Framework Pillar - North Carolina - Alta Pillar 3 Information... · ALTA Best Practices Framework version 2 •The ALTA Best Practices Framework has been developed

11

ALTA Best Practice FrameworkPillar #3

Information Security and PrivacyImplementing a Plan to Protect Non‐public

Personal Information

Jeff Foltz, CISO

1

22

2

Reference Material for Pillar #3

• Assessment Preparation Workbook (Excel Spreadsheet)– https://www.youtube.com/watch?feature=player_embedded&v=-2tlpAF-c94

• ALTA_BestPractices_Policy_and_Procedure_Creation_Guidance.pdf• Best_Practices_protect_NPI.pdf• checklist_NPI_network.pdf• Title_and_Settlement_Company_BestPractices_V_2.0.pdf

3

3

ALTA Best Practices Framework version 2

•The ALTA Best Practices Framework has been developed to assist lenders in satisfying their responsibility to manage third party vendors.

•The ALTA Best Practices Framework is comprised of the following documentation needed by a company electing to implement such a program.

1.ALTA Best Practices Framework: Title Insurance and Settlement Company Best Practices2.ALTA Best Practices Framework: Assessment Procedures3.ALTA Best Practices Framework: Certification Package (Package includes 3 Parts)

4

4

Networking and the Internet: A brief Synopsis• 1962 Information Processing Techniques Office

(IPTO) created with Defense Advanced Research Projects Agency (DARPA) with a mandate to interconnect the United States Department of Defense's main computers at Cheyenne Mountain, the Pentagon, and SAC HQ.

• Goal: connecting separate physical networks to form one logical network that would survive in the event of nuclear war.

• 1982 (TCPIP) suite created and replaced NCP to enable a global network. The internet was born!

• The Problem: Security was never built into the original models. Only availability and sustainability!

5

5

Current Threat Landscape

• Malware• Ransomware• Mobile Malware• Botnets• Phishing attacks

6

• Spam• Advanced Persistent Threats• Nation State Threats• Hacktvists• Geo-Political

6

Identity Theft Resource Center:2014 Data Breach Category Summary

This week's total, of 761 breaches, represents a 25.6 percent increase over the same time period last year (606 breaches). Stats only on entities that provided #’s!!!!!

7

7

Identity Theft Resource Center:2014 Data Breach Category Summary

This week's total, of 761 breaches, represents a 25.6 percent increase over the same time period last year (606breaches).

8

• JPMorgan Chase 1 million• Staples 1.2 Million• Michael’s Stores 2.6 .Million• Neiman Marcus 1.1 Million• Department of Public Health and Human Services 1 Million• Texas Health and Human Services (Xerox) 2 Million• Home Depot 56 million• IRS 1.4 Million• Good Will 800,000• Variable Annuity Life Insurance 774,000

• Sony 47,000

8

Real‐Estate Process: Rife for Identify Theft

9

9

Key Stakeholders for successful Program

• Information Security – Policy, controls, logistical, Incident Response• Physical Security – Policy, Facilities, Monitoring• Risk Team – Assess risks and controls• Learning / Training Team – Disseminate the information• Human Resources – Policy and hiring / Termination practices• Legal / Compliance – Laws, regulations• Executive Management

10

10

ALTA Mission Statement

• ALTA seeks to guide its membership on best practices to protect consumers, promote quality service, provide for ongoing employee training, and meet legal and market requirements.

– These practices are voluntary and designed to help members illustrate to consumers and clients the industry’s professionalism and best practices to help ensure a positive and compliant real estate settlement experience.

– These best practices are not intended to encompass all aspects of title or settlement company activity.

• ALTA is publishing these best practices for the mortgage lending and real estate settlement industry.

– ALTA accepts comments from stakeholders as the Association seeks to continually improve these best practices. A formal committee of ALTA members regularly reviews and makes improvements to these best practices, seeking comment on each revision.

11

11

Voluntary or new De Facto standard?

12

"Why is a lender going to allow a noncompliant title agent to close their deals, when you have the opportunity of having somebody who is compliant with the Best Practices close a transaction?"

12

ALTA Definitions

• Non-public Personal Information: Personally identifiable data such as information provided by a customer on a form or application, information about a customer’s transactions, or any other information about a customer which is otherwise unavailable to the general public. NPI includes first name or first initial and last name coupled with any of the following:

– Social Security Number, – Driver’s license number, – State-issued ID number, – Credit card number, – Debit card number, or – other financial account numbers.

– Litmus Test: Can the information be used to conduct identify theft of the individual or entity?

– If YES – Then it is considered NPI

13

13

ALTA Definitions

• Background Check: A background check is the process of compiling and reviewing both confidential and public employment, address, and criminal records of an individual or an organization. Background checks may be limited in geographic scope. This provision and use of these reports are subject to the limitations of federal and state law.

• Settlement: In some areas called a “closing.” The process of completing a real estate transaction in accordance with written instructions during which deeds, mortgages, leases and other required instruments are executed and/or delivered, an accounting between the parties is made, the funds are disbursed and the appropriate documents are recorded.

14

14

ALTA Pillar #3

• Best Practice: Adopt and maintain a written privacy and information security program to protect Non-public Personal Information as required by local, state and federal law.

• Purpose: Federal and state laws (including the Gramm-Leach-Bliley Act) require title companies to develop a written information security program that describes:

• The procedures they employ to protect Non-public Personal Information. The program must:

1. Be appropriate to the Company’s size and complexity, 2. Include the nature and scope of the Company’s activities, 3. Address the sensitivity of the customer information the Company handles.

• A Company evaluates and adjusts its program in light of relevant circumstances, including changes in the Company’s business or operations, or the results of security testing and monitoring.

15

15

Safeguarding Basics: CIA Triad +NA

16

• Confidentiality– To prevent sensitive information from reaching the

wrong people, while making sure that the right people can access it

• Integrity– Maintaining and assuring the accuracy, consistency

and trustworthiness of data over its entire life-cycle

• Availability– The information must be available when it is needed

• Non-repudiation– Involves associating actions or changes to a unique

individual

• Authentication– Ensure that the data, transactions, communications

or documents (electronic or physical) are genuine

16

Special challenges for the CIA triad:

17

• Big data poses extra challenges to the CIA paradigm because of the sheer volume of information that needs to be safe guarded, the multiplicity of sources it comes from and the variety of formats in which it exists. Duplicate data sets and disaster recovery plans can multiply the already high costs.

– Furthermore, because the main concern of big data is collecting and making some kind of useful interpretation of all this information, responsible data oversight is often lacking.

– Whistleblower Edward Snowden brought that problem to the public forum when he reported on the NSA’s collection of massive volumes of American citizens’ personal data.

• Internet of Things security (IoT) is also a special challenge because the IoT consists of so many Internet-enabled devices other than computers, which often go unpatched and are often configured with default or weak passwords.

• Unless adequately protected, IoT things could be used as separate attack vectors or part of a thingbot. In a recent proof-of-concept exploit, for example, researchers demonstrated that a network could be compromised through a Wi-Fi-enabled light bulb.

– In December 2013, a researcher discovered that hundreds of thousands of spam emails were being logged through a security gateway. Proofpointtraced the attacks to a botnet made up of 100,000 hacked appliances.

17

8 Procedures to meet this best practice:1) Physical security of Non-public Personal Information.

– Restrict access to Non-public Personal Information to authorized employees who have undergone Background Checks at hiring.

– Prohibit or control the use of removable media.– Use only secure delivery methods when transmitting Non-public Personal Information.

2) Network security of Non-public Personal Information. – Maintain and secure access to Company information technology– Develop guidelines for the appropriate use of Company information technology.– Ensure secure collection and transmission of Non-public Personal Information.

3) Disposal of Non-public Personal Information.– Federal law requires companies that possess Non-public Personal Information for a business

purpose to dispose of such information properly in a manner that protects against unauthorized access to or use of the information.

4) Establish a disaster management plan.5) Appropriate management and training of employees to help ensure compliance with Company’s

information security program.6) Oversight of service providers to help ensure compliance with a Company’s information security

program.– Companies should take reasonable steps to select and retain service providers that are

capable of appropriately safeguarding Non-public Personal Information.7) Audit and oversight procedures to help ensure compliance with Company’s information security

program.– Companies should review their privacy and information security procedures to detect the

potential for improper disclosure of confidential information. 8) Notification of security breaches to customers and law enforcement.

– Companies should post the privacy and information security program on their websites or provide program information directly to customers in another useable form. When a breach is detected, the Company should have a program to inform customers and law enforcement as required by law.

18

18

Best Practice Pillar 3 (BP3) Overview of Criteria

19

1. INFORMATION SECURITY PROGRAM MANAGEMENT 23

2. RISK IDENTIFICATION and ASSESSMENT 11

3. EMPLOYEE TRAINING, MANAGEMENT and RESPONSIBILITIES 11

4. INTERNAL INFORMATION SECURITY 60

5. RETENTION and DESTRUCTION of PERSONAL INFORMATION 8

6. OVERSEEING SERVICE PROVIDERS 22

7. DATA BREACH INCIDENT REPORTING 10

8. BUSINESS CONTINUITY and DISASTER RECOVERY 12

Questionnaire contains 157 Total questions

19

20

BP#3 Assessment Instructions

20

Information Security Glossary

21

Term Definition

Authentication Process of identifying an individual, usually based on a username and password, which is a means to determine that individual is who he or she claims to be.

Change Management

Formal process for directing and controlling alterations to the information processing environment (includes alterations to desktop computers, the network, servers and software), with the objective of reducing the risks posed by changes to the information processing environment and improving the stability and reliability of the processing environment as changes are made.

Compensating ControlA control that reduces the risk that an existing or potential control weakness will result in a failure to meet a control objective (e.g., avoiding misstatements). Compensating controls are ordinarily controls performed to detect, rather than prevent, the original misstatement from occurring.

Control Exception Instances where a control has been intentionally modified (e.g. to enhance functionality) or is not fully implemented.

Data Loss Prevention (DLP) Software that is designed to detect potential data breach / data ex-filtration transmissions and prevent them by monitoring, detecting & blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).

EncryptionThe use of mathematical calculations and algorithmic schemes to transform plaintext into cypher text, a form that is non-readable to unauthorized parties. The recipient of an encrypted message uses a key which triggers the algorithm mechanism to decrypt the data, transforming it to the original plaintext version.

Key Control

Control or controls that:- provide reasonable assurance that material errors will be prevented or timely detected - covers a risk of material misstatement (it is indispensable to cover its control objective)- if it fails, it is highly improbable that other control could detect the control absence- that covers more than one risk or support a whole process execution- must be tested to provide assurance

Risk Acceptance Procedures

Procedures and/or processes to document acceptance of risk; typically employed when and organization or individual risk owner have determined that the cost of managing a certain type of risk is acceptable, because the risk involved is not adequate enough to warrant the added cost it will take to avoid that risk.

SSAE 16

SSAE 16, also called Statement on Standards for Attestation Engagements 16, is a regulation created by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) for redefining and updating how service companies report on compliance controls. The SSAE 16: - requires the management of the service company to provide a written assertion to the auditor that their description accurately represents their organizational “system.” - is the reporting standard for all service auditors’ reports from June 15th, 2011, and beyond. SSAE 16 was preceded by SAS 70, which had been in effect since April 1992.

21

INFORMATION SECURITY PROGRAM MANAGEMENT

22

Corresponding Assessment Procedure

23 Criteria Question Response Control/

Procedure NOT

Documented

Control/Procedure

Compliance NOT

Documented1‐10YES NO

3.01 1 Does your Company have a written Information Security and Privacy Policy and Program?

3.01 2 Does your Company's Information Security and Privacy Policy specifically address the protection of Personal Information?

3.07a 3 Does your Company conduct background checks on employees and temporary staff who have access to Personal Information?

3.05 4Has your Company created an Acceptable Use of Information Technology policy? This policy lays out the ways and circumstances under which employees may use Company owned technology (e.g., acceptable use of the Internet, email, and information resources).

3.06 5Does your Company have policies and procedures that restrict access to Personal Information to authorized employees (this is called logical access restrictions)? These restrictions can include password protection and should be applied to all systems including network, database, and individual application layers.

3.08a 6 Has your Company created a policy and procedure restricting the use of removable media (e.g., USB ports, CD/DVD writeable drives)?

3.07e 7 Does your Company require each employee to have a User ID and password for accessing your technology systems?

3.07e 8 Does the password policy specify that user passwords should not contain common words, user ID, or first/last name?

3.11b 9Has your Company created a Clean Desk policy to ensure that files, documents and computer files containing Personal Information are stored in a secure manner when an employee leaves their workstation for the day or an extended period of time?

3.17a 10 Has your Company created a Record Retention and Disposal policy? This policy should set out the minimum amount of time a file should be retained and require appropriate destruction of files.

22


23

• Background Checks – What Kind? Criminal? Financial?

• Acceptable Use Policy– What can and can’t an employee do

• Removable Media Policy – Is Read Only acceptable?

• Unique user ID (Non-repudiation) – Generic and default accounts should not be used or monitored closely

• Clean Desk Policy– Public locations, Cleaning staff, Bonded, etc.

• Record Retention and Disposal Policy– Both Paper and Electronic – DOD Wipe, Certificate of Destruction, Smartphones

23

InSecure Communications ‐ Email

24

24

Secure Communications ‐ Email

25

• Secure Email– Use HTTPS to encrypt– Use TLS (Tunnel Layer Support)

• Other ways to send– Compress it and password protect it – “Zip and Encrypt”– Password Protect Documents (AES 256)

• Communicate the password “Out-of-band”– Call the person to share the secret– Use Multi-factor authentication (MFA)– Send the password in a different email (less

Secure)

25


26


23 Criteria Question Response Control/

Procedure NOT

Documented

Control/Procedure

Compliance NOT


IS BP 11 Has the Information Security and Privacy policy been approved by Management or the Board of Directors?

IS BP 12 Has the Information Security and Privacy policy been communicated and/or made available to all the company's staff and do you require all employees to acknowledge receipt of the policy?

3.02 13 Does the Information Security and Privacy Policy emphasize the importance of security and the employees' roles in properly securing data?

IS BP 14

Has your Company designated one employee (e.g. Privacy Officer) who is responsible for coordinating and overseeing the Information Security and Privacy policy? You may wish to create an Information Security Committee consisting of cross-functional representatives (e.g. Legal, Information Technology, Operations) to assist the Privacy Officer in providing direction and advice on Information Security and Privacy Program.

IS BP 15 Does your Information Security and Privacy Policy specify penalties for violation of the policy?

IS BP 16 Does your Information Security and Privacy Policy have procedures for obtaining limited exceptions from the Information Security and Privacy Policy?

3.01 17On an annual basis, does the Privacy Officer or Information Security Committee review the Information Security and Privacy Policy and make updates to reflect changes in operations, legal and regulatory requirements, industry best practices, and available technology?

3.01 18 Are changes in the Information Security and Privacy Policy recorded and tracked?3.15a 19 Has your Company developed a Customer Privacy Policy to be provided to each customer?3.15a 20 Do you track when your Privacy Policy is given to each customer? 3.15b 21 Does your Privacy Policy touch on all the issues present in the Model Privacy Statement?3.16 22 Does your Company maintain a website?

3.16ab 23 Does your Company website include the Privacy Statement? If so, what personal information is collected?

26

Tracking Requirements

27

• Develop an Exception Tracking Process– Require valid business justifications for exceptions to policy– Review Exceptions on a periodic basis– Evaluate the duration an exception can be considered valid– Do NOT allow for permanent exceptions

• Typical exceptions can last from 1 month to 1 year. All exceptions should be reviewed annually to have a re-validation or removal from exemption status

• Track the Privacy policy if required to be provided– Automated approaches should be employed– Ensure that all lines of business are involved so that no

oversights occur

27

RISK IDENTIFICATION and ASSESSMENT

28


11 criteria Question Response Control/

Procedure NOT

Documented

Control/Procedure

Compliance NOT

DocumentedYES NO

3.03

1

On a regular basis, does your Company review your operations to identify and assess external and internal risk(s) to the Personal Information your Company stores? This assessment should review the types of Personal Information your company stores, the location of that information and how that information can be accessed by authorized and unauthorized users.

3.03b2

Does this risk assessment include thinking through individual internal and external risk and assessing their impact and likelihood? This could include thinking through which non-employees have access to your office and what information is stored in a networked computer, etc. (Threat Modeling)

3.03a

3

Is this risk assessment performed on all locations, systems, and methods used for storing, processing, transmitting, and disposing of Personal Information? Critical areas for review can include, but are not limited to, employee training and management; information systems, including network and software design; information processing, storage and disposal; detecting, preventing and responding to attacks, intrusions or other system failures.

3.03b4

Does your Company account for unique risks presented by employee access to files outside of the office? This should consider the information's sensitivity and how the employee will access the material outside of the office.

3.045 Are key controls that your Company has in place to prevent improper access of Personal Information

identified as part of the risk assessment process?3.04 6 On a regular basis, are these key controls tested by an independent party? (Penetration Tests)

3.04a 7 Does management review the results of this testing?3.04c 8 Are vulnerabilities noted and, where possible, changes made to your systems to reduce the risk?IS BP 9 Do you have a procedure for determining which risks cannot currently be addressed?3.04c 10 Are risk mitigation activities monitored and tracked?

IS BP11

Does the Privacy Officer work with stakeholders, as appropriate, to assess risks to Personal Information associated with information systems, including network and software design, information processing, and the storage, transmission and disposal of Personal Information?

28

Risk Assessments

29

• Measuring Risk– Risk can be determined as

a product of threat, vulnerability and asset value

• Determine the Risk (Traditional approach)

– Risk = Likelihood * Impact

• Current Risk Management Framework

– Risk = ((Vulnerability * threat) / Counter measure) * asset value

• Choose a Framework– NIST 800

– CoBit

– ISO 27000

– ITIL

29

EMPLOYEE TRAINING, MANAGEMENT and RESPONSIBILITIES

30



Procedure NOT

Documented

Control/Procedure

Compliance NOT

DocumentedYES NO

IS BP 1 Are new employees and temporary contract personnel provided a copy of the Information Security and Privacy Policy as part of the hiring process?

3.02 2Are new employees and temporary contract personnel required to sign an attestation that they have read and understand the Information Security and Privacy Policy and the potential consequences of non-compliance, prior to accessing Personal Information?

IS BP 3Are new employees and temporary contract personnel provided their responsibilities under the Information Security and Privacy Policy as well as other applicable security policies and procedures, and the potential consequences of non-compliance?

3.05 4Do employees and temporary contract personnel certify, in writing, their acceptance of the Acceptable Use of Information Technology Assets policy (e.g., acceptable use of the Internet, email, and Company information resources)?

3.05 5Are employees and temporary contract personnel (as applicable) required to re-certify the Acceptable Use of Information Technology Assets policy (e.g., acceptable use of the Internet, email, and Company information resources) on a periodic basis (at least annually)?

3.02 6

Are new employees provided training regarding the importance of information security and Personal Information during orientation that includes, but is not limited to, the proper use of computer information and passwords, control information and procedures to prevent Personal Information disclosure to unauthorized parties, and methods for proper disposal of documents containing Personal Information?

3.02 7 Do company supervisors provide temporary workers with training regarding the identification and protection of Personal Information to protect against disclosure to unauthorized parties?

3.01 8 Are employees and temporary contract personnel (as applicable) required to repeat Information Security and Personal Information training on a periodic basis (e.g. at least annually)?

3.02 9 Is successful completion and refresh of Information Security and Personal Information training tracked and documented?

3.01 10 Are training activities and documents modified, as circumstances dictate, based on the risks perceived, scope and types of activities, and access to Personal Information?

3.07b 11 Does the Company have procedures for termination of employees who violate the Information Security and Privacy Policy?

30

EMPLOYEE TRAINING

31

31

INTERNAL INFORMATION SECURITY

32



Procedure NOT

Documented

Control/Procedure

Compliance NOT


3.11a 1Does your company have protections in place to prevent unauthorized access to physical files and systems storing or processing Personal Information?

3.11a 2If you have a data center or server room, is access restricted to only individuals whose access is necessary to perform legitimate business functions?

3.07b 3 If you have badge or key fob access to your offices, are rights revoked upon employment termination?

3.07d 4 Does your company review physical security requirements on an annual basis?

IS BP 5 Have you reviewed and incorporated your contractual and legal requirements into your physical security?

IS BP 6Are restricted areas clearly identified with additional security measures (e.g., badge access or locked door) as appropriate to prevent unauthorized access?

3.09b 7Are security controls (password protection, encryption, etc.) for physical media used to prevent unauthorized access, misuse, or corruption of Personal Information while in transit?

3.09a 8Is encryption or password protection enabled for electronic media (email, database access, etc.) to protect Personal Information both while in motion (electronic transmission) and at rest (e.g., stored)?

IS BP 9Are employees required to report, immediately, the loss or theft of a laptop or other supported media device to applicable authorities (Information Technology or Privacy Officer)?

IS BP 10 Is equipment stored offsite and protected in accordance with the data's sensitivity?

32

Data at rest, Data in motion, Data in Use

33

• Data at Rest– On local PC Hard drive– In Data Bases– On Network Shares– On Tape Backups

• Data in Motion– From PC to Server– From Web browser to Website– From Business 2 Business

• Data in Use– In PC RAM– In Web Browser Cache

33


34



Procedure NOT

Documented

Control/Procedure

Compliance NOT


3.09 11 Are security controls in place to protect the computer network, which considers the sensitivity of Personal Information?

IS BP 12 Does the Privacy Officer on a regular basis update systems by, among other things, implementing patches or other software fixes designed to mitigate known security flaws?

3.04 13 Are firewalls used to protect all network entry points?3.04 14 Have procedures and security controls been developed and implemented to safeguard network connections?

3.09 15Is a data loss prevention (DLP) tool or other system that monitors, backups, and prevents unauthorized access to electronic files in place to protect Personal Information for all three stages of data (in use, in motion/ transmission and at rest)?

3.10a 16 Are network intrusion detection and prevention systems (firewall) in place to detect unauthorized intrusions into your network and systems from unknown sources?

3.10b 17 Are network based intrusion detection and prevention systems configured to detect and log intrusion events and alert appropriate individuals?

3.07e 18 Are unique user IDs issued to all individuals accessing systems that store or process Personal Information?

3.07e 19 Are your systems containing Personal Information configured to record the user ID of people who access those files?

IS BP 20 Do your systems lock or shut down a user's workstation or access after a defined period of inactivity and require a password be re-entered by the user before the session may be resumed?

34


35



Procedure NOT

Documented

Control/Procedure

Compliance NOT


3.07d 21 Does your company determine employee access to Personal Information based on the employees job functions and the sensitivity of the information?

3.10c 22 Is access logging enabled for the Company's critical application and data storage servers?3.07e 23 Does your access logging capture important user events (system logon and logoff, data field changes)?3.10a 24 Are log files reviewed n a regular basis to detect security breaches3.10a 25 Are system audit logs retained to assist in access control monitoring or investigations?IS BP 26 Does your access system prevent users from reusing any of their prior six passwords?

IS BP 27 Does your access system require passwords that are at least six or more alphanumeric and special characters?

IS BP 28 Does your access system lock out user accounts after five invalid login attempts?IS BP 29 Are users required to change their password regularly (every 90 or 180 days)?IS BP 30 Is network vulnerability testing performed regularly (monthly)? IS BP 31 Are vulnerability testing results documented and kept on file?

IS BP 32 Are discovered vulnerabilities remediated with reasonable promptness with consideration given to the vulnerability's severity?

IS BP 33 Are vulnerability mitigation efforts recorded and tracked?IS BP 34 Is anti-virus software installed and functioning on servers storing or processing Personal Information?IS BP 35 Is anti-virus software installed and functioning on user workstations/laptops?IS BP 36 Are anti-virus signature files kept up to date?IS BP 37 Is the anti-virus product configured to scan files when they are accessed/opened, including external media?

3.07c 38 Do controls exist that prevent a user (even if they have administrative rights to their desktop) from disabling anti-virus software?

IS BP 39 Is remote user access (VPN access) to networks only permitted for legitimate business purposes?3.07e 40 Does remote user access (VPN access) require authentication?

35

Multi‐Factor Authentication

36

36


37



Procedure NOT

Documented

Control/Procedure

Compliance NOT


3.07b 41 Has your Company created procedures to revoke user remote access when it is no longer needed?IS BP 42 Has management defined wireless devices security controls? 3.07e 43 Do wireless controls require user authentication to obtain network access via a wireless device?

3.12a 44 Does the Company test the technology prior to implementing new technology and updates to determine its ability to meet business needs?

3.12a 45 Are system modifications (hardware and software) consistent with the approved security program?

3.12a 46 Are system modifications documented, tested and approved in accordance with previously outlined business strategies and procedures?

3.07d 47 Is access to Personal Information limited to ensure that individuals with a legitimate business purpose obtain only the minimum access necessary to perform specific job functions?

3.07d 48 Are periodic reviews conducted of Personal Information user-access rights, with more frequent reviews occurring for those with privileged access rights?

3.07d 49 Has the Company created procedures to prevent unauthorized access to operating systems, data and services?

3.07c 50 Is “Separation of Duties” enforced in systems containing Personal Information so that users with the ability to add, modify and remove user access are not assigned to perform business transactions within the system?

37


38



Procedure NOT

Documented

Control/Procedure

Compliance NOT


3.08b 51 If possible, has your Company configured your systems to restrict removable media access (restricting the use of USB ports, CD/DVD writable drives, etc.) in accordance with Policy?

3.07d 52Are access privileges immediately reviewed and adjusted (revoked, expanded or decreased) anytime an employee is terminated or changes job functions and anytime a contractor or third-party severs its relationship with the Company?

3.07d 53 Does your policy require employees, contractors or other third parties to return hardware and software assigned to them upon their separation or termination?

3.01 54 Are employees required to maintain authentication security (passwords and access tokens) to secure computers and other office equipment?

IS BP 55 Are employees aware of their responsibilities to safeguard passwords and Personal Information?

IS BP 56Do employees receive information explaining the need to promptly change any temporary or initial-use password, and to select and change all subsequent passwords in accordance with applicable password standards?

IS BP 57 Are employees required to report instances of compromised passwords, and to change possibly compromised passwords immediately?

IS BP 58 Are employees required to protect unattended computing equipment (physically secure the device or area, with a key lock or equivalent) before leaving it unattended?

IS BP 59 Are employees required to terminate active (logged-in) sessions before leaving a device unattended, unless it can be securely "locked" (with a password-protected screensaver)?

IS BP 60 Are employees required to report, immediately, Security Program violations (perceived or actual) to the Privacy Officer or appropriate supervisor?

38

Password Strength

39

Password Strength

40

This image cannot currently be displayed.




https://howsecureismypassword.net/

Aud1t:

Aud1t!@

Audit dog FFIEC

One Hour

23 Seconds

46 Billion Years

40

RETENTION and DESTRUCTION of PERSONAL INFORMATION

41



Procedure NOT

Documented

Control/Procedure

Compliance NOT

DocumentedYES NO

3.17a 1 Looking at your legal and contractual requirements, has your Company established a document retention and destruction policy?

3.17a 2Does your policy set specific retention time frames or destroy-by-dates for each type of Personal Information that your Company maintains? Destroy-by-dates typically vary based on the type of information (financial or personal) and the last active use of the file containing the information.

3.17a 3 Does your Company inform applicable employees and contractors of their responsibilities regarding the handling, protection and destruction of Personal Information?

3.17a 4 Is Personal Information removed from equipment prior to disposal or reuse? This can involve wiping or purging of hard drives/tapes/removable media through an approved process.

3.17a 5Are the hard drives/tapes/removable media destroyed through appropriate measures when equipment containing Personal Information is no longer usable? This can include physically destroying hard drives or scratching the surfaces and breaking into pieces of other removable media such as disks and CD-ROMs.

3.17a 6 Are documents containing Personal Information destroyed by shredding or burning?3.17a 7 Does your Company's Privacy Officer regularly review and update the disposal dates for your records?

3.17b 8If document/electronic media disposal services are provided by a third party, are Media Destruction service level agreements (SLA) included in the contract agreement and is the vendor required to submit disposal certificate?

41

OVERSEEING SERVICE PROVIDERS

42



Procedure NOT

Documented

Control/Procedure

Compliance NOT


3.14 1 Does your Company provide access to Personal Information to any service providers or other third parties (such as independent abstractors or attorneys)?

3.14a 2 Is reasonable due diligence conducted on these third-party service providers prior to hiring to determine their ability to provide the contracted service and meet privacy requirements?

3.14a 3 Do your Company's due diligence practices include a review of the third-party service provider’s information security practices, financial resources and references?

3.14a 4Do you request to review a service provider's outside audits or Statement on Standards for Attestation Engagements (SSAE-16) (if any), or conduct your own audit of their operations to determine their ability to provide the contracted service and meet privacy requirements?

IS BP 5 Once you engage a service provider, do you designate an employee to coordinate with the service provider?

IS BP 6 Does this designated employee monitor the service provider's performance on a regular basis to determine whether the provider is continuing to provide the contracted service and meet privacy requirements?

IS BP 7Does your contract with the service provider include provisions establishing appropriate performance and privacy requirements with appropriate remedies when you discover that the provider is not meeting these targets?

3.14b 8 Are service providers (and subcontractors) required to implement and maintain appropriate information security safeguards for Personal Information?

3.14b 9 Are written assurances (either in the services agreement or a standalone confidentiality agreement) obtained from each third-party provider regarding the handling of Personal Information?

3.14b 10 Are service providers (and subcontractors) required to maintain a comprehensive written information security program, which includes physical and other security measures?

42

OVERSEEING SERVICE PROVIDERS

43



Procedure NOT

Documented

Control/Procedure

Compliance NOT


IS BP 11 Are service providers (and subcontractors) required to provide an Acceptable Use Policy or Procedures (i.e., email, internet, instant messaging, document handling)?

IS BP 12 Are service providers (and subcontractors) required to provide a Password Policy?

IS BP 13 Are service providers (and subcontractors) required to provide Business Continuity and Disaster Recovery policy?

IS BP 14 Are service providers (and subcontractors) required to provide procedures for monitoring and detecting/attacks into information systems?

IS BP 15 Are service providers (and subcontractors) required to provide an Incident Response Plan or procedures?

IS BP 16 Are service providers (and subcontractors) required to provide Information Classification, Handling, and Destruction Policy or procedures?

IS BP 17 Are service providers (and subcontractors) required to provide Log Review Policy or procedures?IS BP 18 Are service providers (and subcontractors) required to provide a Business Continuity/Disaster Recovery Plan?IS BP 19 Are service providers (and subcontractors) required to provide Change Management procedures?

3.07a 20 Are service providers (and subcontractors) required to undergo a background investigation or provide evidentiary support of a successful background investigation?

IS BP 21 Are service providers (and subcontractors) required to provide immediate notification to the Company following discovery of any breach or suspected breach involving Personal Information?

IS BP 22 Are service providers (and subcontractors) required to provide proof of insurance (Insurance rider or agreement showing coverage types and amounts)?

43

DATA BREACH INCIDENT REPORTING

44



Procedure NOT

Documented

Control/Procedure

Compliance NOT

DocumentedYES NO

3.10 1 Does your Company outsource monitoring of external threats to your computer network?

3.10a 2 Are procedures in place to monitor and detect attacks/intrusions into systems containing Personal Information?

3.10c 3 Does your Company have a policy and procedures to report the intentional and unintentional release or breach of Personal Information in accordance with applicable legal and regulatory requirements?

3.10.a 4 Does your Company have a written security incident or data breach response plan?3.10c 5 Has an incident response plan been distributed to the appropriate employees and outside service providers?

3.10a 6 Does the plan describe how actual and suspected data-breach incidents are to be reported, investigated, and handled?

3.10a 7 Has the Company created incident-management procedures to collect incident-related data when a breach occurs? This could include audit trails, access logs, etc.

3.10b 8 Does the Company monitor and internally escalate security incidents to management as needed?

3.10a 9 Is there a formal disciplinary process for violation of organizational security policies and procedures by employees, temporary employees, and contractors?

3.09 10 Are procedures and/or tools (e.g., data loss prevention, encryption) implemented to reduce the risk of Personal Information disclosure (intentional or unintentional)?

44

State Laws relating to Personal Information

45

• Under the Florida Information Protection Act of 2014 (FIPA), any covered entity or third‐party agent must now report electronic breaches (over 500 individuals) to the Florida Department of Legal Affairs and to consumers within 30 days.

• Documents to be sent in the notification include:• A police report, incident report, or computer forensics report• A copy of the policies in place regarding breaches.• Steps that have been taken to rectify the breach.

• 47 states have implemented data notification statutes, but Florida is one of only seven whose laws include a specific time period for alerting potential victims.

• Check and know your local state laws related to notification and reporting obligations.

45

BUSINESS CONTINUITY and DISASTER RECOVERY

46



Procedure NOT

Documented

Control/Procedure

Compliance NOT

DocumentedYES NO

3.13 1 Is a business continuity and disaster recovery plan included in the Company's Information Security and Privacy Plan?

3.13 2 Does the business continuity and disaster recovery plan address the timely resumption from and, if possible, prevention of interruptions to business activities and processes caused by information-system failures?

3.13 3 Does your business continuity and disaster recovery plan address protection and recovery of physical facilities and equipment from loss, damage, theft, or compromise?

IS BP 4 Does your business continuity and disaster recovery plan address recovery of electronic data from loss, damage, theft, or compromise?

3.13 5 Are your business continuity and disaster recovery plans formally documented?3.13 6 Has the Company created business continuity plans for all critical business processes?3.13 7 Are business continuity plans distributed to all individuals who would require them in case of an emergency?

3.13 8 Do these plans include detailed, up-to-date contact information for key individuals required for executing the plan?

3.13 9 Do business continuity plans include a schedule of principle tasks to be completed, responsibilities for each task, and a list of services to be recovered?

3.13 10 Does the business continuity plan prioritize the services to be recovered based on importance?3.13 11 Are business continuity plans periodically tested with results documented?

IS BP 12 Does the business continuity plan account for the loss of critical vendors?

46

Questions or Feedback?

Email: [email protected]

47