Introduction
This checklist will assist in-house counsel, private practitioners, and compliance professionals who are involved in overseeing or conducting a data and information security risk assessment for their organization. A data and information security risk assessment is used to determine the likelihood of an attack against a business and the potential impact a cyberattack could have on a company’s reputation, finances, and overall business health.
These risk assessments help protect against data breaches, give the organization data to analyze to prioritize improvements to organizational security, and also help guide the investments needed to achieve adequate protection.
The checklist covers the following steps:
- Assess the organization’s data and information security environment
- Evaluate physical safeguards
- Evaluate technological controls
- Evaluate administrative safeguards
- Review findings and make modifications
The checklist is presented as a list of requirements that you can check off as they are addressed in conducting your assessment. At the end of each step, there are explanatory notes corresponding with each requirement in the checklist.
This checklist should be used in conjunction with How-to Guides: How to develop, implement and maintain a US information and data security compliance program and How to determine and apply the relevant US privacy laws to your organization and Checklist: Completing a data privacy risk assessment.
Step 1 – Assess the organization’s data and information security environment
| No. | Requirement |
| 1.1 | Identify information security assets |
| 1.2 | Identify sensitive, private, and confidential data |
| 1.3 | Map flow, use, and access to data |
| 1.4 | Develop list of threats, vulnerabilities, and risks |
Step 2 – Evaluate physical safeguards
| No. | Requirement |
| 2.1 | Assess building security |
| 2.2 | Evaluate access controls |
| 2.3 | Check if computers, servers, and other technology are in non-public areas |
| 2.4 | Determine whether access to physical computer control area is restricted |
| 2.5 | Evaluate protection from environmental threats |
| 2.6 | Assess disposal methods of surplus or unused devices |
Step 3 – Evaluate technological controls
| No. | Requirement |
| 3.1 | Evaluate logical access controls |
| 3.2 | Evaluate password requirements |
| 3.3 | Evaluate user monitoring controls |
| 3.4 | Evaluate software update controls |
| 3.5 | Evaluate network segmentation |
| 3.6 | Evaluate encryption controls |
| 3.7 | Evaluate multilayer and zero-trust security control options |
| 3.8 | Evaluate controls for personal devices |
| 3.9 | Evaluate ‘remote-wipe’ capabilities |
| 3.10 | Evaluate data backup controls |
| 3.11 | Evaluate data loss prevention software |
Step 4 – Evaluate administrative safeguards
| No. | Requirement |
| 4.1 | Conduct background checks for employees, contractors, and third parties |
| 4.2 | Review policies and procedures |
| 4.3 | Review security training provided |
| 4.4 | Review incident response plan |
| 4.5 | Review insurance policies |
Step 5 – Review findings and make modifications
| No. | Requirement |
| 5.1 | Review risk evaluation findings |
| 5.2 | Identify areas beyond organization’s risk tolerance |
| 5.3 | Make appropriate changes to data and information security policies and procedures |
General Notes
Legal framework
Every organization is concerned about cybersecurity and privacy. In the face of unrelenting and ever-sophisticated assaults on computer systems and attempts to breach data security, keeping sensitive data secret, intellectual property proprietary, and vital business systems up and running might seem practically impossible. Every organization should have a plan for protection against cybersecurity attacks.
Following an established framework for data and information security can provide a common set of fundamental program functions with unique components that help guide the organization to greater security. A framework should be written in clear, concise language, and should be designed so that even those just beginning their cybersecurity program can use it. One example of such a program is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which has quickly become one of the most widely employed cybersecurity frameworks in the United States. Others include the ISO/IEC 27001, CIS Controls v8, SOC 2, and CMMC 2.0.
Specific to financial institutions, the FTC has issued the Safeguards Rule, requiring compliance with the rule by June 9, 2023. An integral part of the Rule is developing a written risk assessment of the information security programs.
What is a data and information security risk assessment?
The process of detecting, correcting, and preventing security issues is known as information security risk management. Risk assessment is an important aspect of an organization’s risk management strategy.
The process of identifying and analyzing risks for assets that could be compromised by cyberattacks is known as a data and information security risk assessment. In essence, the organization should do the following:
- analyze both internal and external threats;
- assess their potential impact on data availability, confidentiality, and integrity; and
- determine the potential costs of a cybersecurity incident.
Using this information, the company may customize cybersecurity and data protection controls to fit the organization’s actual risk tolerance.
Importance of conducting a data and information security risk assessment
Conducting a thorough data and information security risk assessment on a regular basis will help the organization develop a solid foundation for business success.
In particular, an assessment enables the organization to:
- identify and subsequently remediate any gaps in IT security;
- prevent data breaches;
- select the appropriate controls and protocols to effectively mitigate risks;
- prioritize the preservation of assets that have the greatest value and highest risk;
- eliminate unnecessary or obsolete control measures;
- evaluate potential security partners;
- establish, maintain and demonstrate compliance with regulations; and
- accurately forecast future security needs.
The risk assessment process is an information-gathering activity of the as-implemented state of the system or common controls, used to facilitate security- or privacy-producing activities, and to adapt those activities to the particular circumstances of the organization. The organization must determine the most cost-effective way to implement the findings of the risk assessment, and consider the maturity and quality level of the organization’s risk management processes.
Step 1 – Assess organization’s data and information security environment
1.1 Identify information security assets
When conducting a risk assessment of an information security framework, one of the first things the organization must do is identify their information assets. Any information that is valuable to the organization is considered an information asset. An asset-based risk assessment starts with an asset register, which is a document that lists all the locations where information assets are kept.
Interviewing asset owners is the most effective technique to identify assets. The asset owner is the person or stakeholder in charge of an information asset’s creation, development, maintenance, use, and security.
1.2 Identify sensitive, private, and confidential data
In this guide, the term ‘sensitive data’ refers to information that calls for a heightened level of safeguarding from unauthorized access. This type of data includes information that is private, confidential, legally protected, or proprietary.
Sensitive data includes:
- data that exposes an individual's ethnic or racial origin, religious or philosophical beliefs, or political opinions;
- data that reveals a person's membership of a trade union;
- genetic and biometric data that can be used to identify an individual;
- medical or health-related data;
- data about a person’s sexual orientation or sex life;
- financial information – credit card numbers, bank account information, and social security numbers;
- government information – any document held as secret or top secret, restricted, or that could be deemed a breach of confidentiality if leaked or released;
- business information – accounting data, financial statements or accounts, trade secrets, and any other types of sensitive information contained within business plans (eg lists of customers or potential customers);
- personal information – addresses, driver’s license numbers, or phone numbers;
- privileged information – any type of information that is protected by an evidentiary privilege (eg memoranda containing legal advice).
It is generally the responsibility of the organization that has collected the data to protect it from unauthorized access.
1.3 Map flow, use, and access to data
An organization must be aware of the types of personal data it handles and ensure that the data is processed in line with the law. You should map data and information flows in order to assess privacy risks. Data mapping is critical because organizations typically process far more data than they realize, and this data might be stored in an unsecure manner or copied in many formats. To map the organization’sdata efficiently, you must first decipher the information flow, define it, and determine its key elements. This involves looking at the ways data is transferred or disseminated, and looking for the likely or probable recipients of that information.
1.4 Develop list of threats, vulnerabilities, and risks
When doing a risk assessment, a list of risks and vulnerabilities should be taken into account. The list also helps to clarify the distinction between threats and vulnerabilities. A threat is any incident that could negatively affect the confidentiality, integrity, or availability of an asset. A vulnerability is an organizational flaw that can be exploited by a threat to destroy, damage or compromise an asset.
Step 2 – Evaluate physical safeguards
According to NIST, physical safeguards are security measures that help physically protect an organization’s data, such as using locks on doors of areas that contain computer servers.
Physical safeguards protect personnel, hardware, software, networks, and data from physical acts or events that might result in significant loss or harm to an organization. These potential acts or events could include fire, flood, and natural catastrophes, as well as criminal acts such as burglary, theft, vandalism, and terrorism. Physical security’s emphasis on damage prevention prevents time, money, and resources from being wasted as a result of these incidents.
2.1 Assess building security
For most physical security systems, the building in which the system is located is the first line of defense. Fencing, gates, walls, and doors all serve as physical barriers against criminal access. Additional locks, barbed wire, visible security measures, and signage all help to limit potential exposure to random cybercrime attempts.
2.2 Evaluate access controls
Limiting and controlling who has access to sites, facilities, and materials is critical to enhancing physical security measures. ‘Access control’ refers to the steps taken to ensure that only authorized personnel are permitted to have access to specified assets. Physical access control is a set of policies put in place to limit who is granted access to a physical location or control area. For example, ID badges or keypads, and security guards to ensure the proper use of those devices, are common examples of physical access control. The measures used will depend on the size of the organization and of a particular facility, and on the nature of the data protected.
2.3 Check if computers, servers, and other technology are in non-public areas
If possible, all computers, servers, and other technology should be kept in non-public areas. This provides a preliminary level of physical access control to prevent customers or other members of the public from gaining physical access to these devices.
2.4 Determine whether access to physical computer control area is restricted
As unauthorized access can provide access to an entire system, not just a single computer, physical access to computer control areas should be subject to heightened levels of access restrictions. Potentially, unauthorized access could result in system-wide damage or data misappropriation.
2.5 Evaluate protection from environmental threats
Consider natural and man-made threats when evaluating whether the current physical security controls adequately protect against potential threats relating to the organization’s physical location. Examples of these types of threats include the following:
- earthquakes and flooding;
- burglary;
- civil disorder;
- unauthorized interception of communications;
- damage from nearby activities, such as toxic chemical spills, explosions, fires; and
- electromagnetic interference from emitters such as radars.
Certain locations will inherently have higher risks of these types of environmental hazards.
2.6 Assess disposal methods of surplus or unused devices
It is important to assess how surplus or unused computers, smartphones, hard drives, media cards and other devices are disposed of. Computers, smartphones, and cameras enable the organization to retain a wealth of data. However, when employees dispose of, give away, or recycle a device, the organization risks unwittingly disclosing important information to cybercriminals. The US Cybersecurity & Infrastructure Security Agency (CISA) provides excellent guidance on the proper disposal of electronic devices, as outlined below.
- Deleting data – removing data from devices can be one method of sanitization. When the organization deletes files from a device, data remains on the media even after a delete or format command is executed, although the files may appear to have been removed. Therefore, organizations should not rely solely on the deletion method, such as moving a file to the recycle or trash bin, or selecting ‘delete’ from a menu. Even if the employee empties the device ‘trash,’ the deleted files are still on the device and can be retrieved.
- Overwriting – another method of sanitization involves deleting sensitive information and writing new binary data over it. The use of random data, as opposed to easily identifiable patterns, makes it more difficult for attackers to discover the original information underneath.
- Destruction – physically destroying a device is the ultimate means to prevent others from retrieving the data on the device. Specialized services are available that can disintegrate, burn, melt, or otherwise destroy your computer hard drive or other devices. These sanitization methods destroy data by destroying the media on which the data is stored. They are usually carried out at a licensed incineration facility or an outsourced metal destruction facility.
Step 3 – Evaluate technological controls
Technological access controls are the technical means of controlling what information users can utilize, the programs they can run, and the modifications to software or systems they can make. When determining what kind of technical access will be allowed to data, programs, devices, or resources, consider who will have access and what kind of access they will be allowed, as well as the purposes for which they will be allowed access.
3.1 Evaluate logical access controls
Access refers to the capability to do something with a computer resource. This usually amounts to a technical ability (eg, reading, modifying, creating, or deleting a file, executing a program, or using an external connection). Access control is the means by which the ability is explicitly enabled or restricted in some way. Computer-based access controls are called logical access controls. Logical access controls can prescribe not only who or what (eg, in the case of a process) is to have access to a specific system resource but also the type of access that is permitted.
3.2 Evaluate password requirements
User authentication is frequently related to passwords. User authentication is utilized to safeguard data and programs on a wide range of devices. Because authentication is already integrated in a wide range of applications, password-based access control is frequently economical. On the other hand, if a user has access to the operating system, password-based access restrictions for PC programs are often easy to circumvent.
NIST’s Digital Identity Guidelines say that the focus should be on length, as opposed to complexity, when designing a password. For example, NIST requires an eight-character minimum for passwords.
3.3 Evaluate user monitoring controls
Use a monitoring system, such as a user monitoring software program, to track system users’ activities and send alerts regarding suspicious activity (eg, attempts to access parts of a system outside of a user’s permissions.) These controls help avoid unauthorized data access and provide tools to track down the source of security breaches.
3.4 Evaluate software update controls
Software updates are a critical element of system security. If the organization fails to keep business computers and systems updated properly, the organization increases vulnerabilities and exposure to cyberattacks.
The most critical reason to update software is to fix security problems as quickly as possible. Cybercriminals spend endless hours searching for flaws in the most popular and extensively used software programs. They use these flaws to attack and infect computer systems, as well as steal or ‘kidnap’ sensitive data by encrypting it and demanding a ransom to unencrypt it. Keeping the organization’s computer systems up to date is a crucial step in ensuring an organization is protected against cybercrime.
3.5 Evaluate network segmentation
Network segmentation is an architectural technique that divides a network into many segments or subnets, each of which functions as its own separate network. Segmentation allows network managers to implement granular policies to govern traffic flow between subnets. Segmentation is often used by organizations to increase monitoring, enhance network performance, pinpoint technical faults, and, most critically, enhance security.
Network segmentation is a powerful tool for preventing unauthorized users from gaining access to valuable information assets such as customers’ personal information, corporate financial records, and highly confidential intellectual property.
3.6 Evaluate encryption controls
NIST’s Security Guidelines for Storage Infrastructure define encryption as ‘the conversion of data from a readable form (ie, plaintext) into an unreadable form (i.e., ciphertext) that cannot be easily understood by unauthorized people. In storage systems, the encryption of sensitive information should be implemented end to end.’ ‘End to end’ means that the data may only be read by the sender and the recipient; it is encrypted and unreadable at all points in its transmission between sender and recipient.
When analyzing data at rest (ie, housed physically on data storage), include access permissions, labels, pathways, and journaling information in a complete strategy. This strategy should include not just the material itself, but also metadata. With data in transit, unless the entire communication media is within a protected environment such as a data center, data should be encrypted when it is transferred between storage elements and in transit throughout the network.
‘Administrative access’ involves connections to set up or control storage elements, storage networking, and data using standard and customized protocols and Application Programming Interfaces (APIs).
Cryptographic keys are necessary for encryption to work. A cryptographic key is the string of letters or numbers used by an encryption algorithm to make the data appear to be random. The required cryptographic keys, which must be generated, distributed, and, ultimately, disposed of, should be made accessible to all communicating parties.
3.7 Evaluate multilayer and zero-trust security control options
‘Layered security’ refers to the protection of digital assets across many layers, each of which provides an extra layer of defense. Multilayer security involves processing information with different categories or classifications to simultaneously allow access to users with various security clearances while also denying access to users who lack proper authorization.
Traditionally, layered security has been the go-to security model. However, with an increase in remote working and cloud-based computing, IT experts are increasingly recommending zero-trust models. In a zero-trust model, no heightened trust is given to certain classifications of users. In other words, all users are treated the same and must be continually validated.
Consult your IT department to determine the best approach for your organization.
3.8 Evaluate controls for personal devices
Personal device controls by organizational employees are also known as Bring Your Own Device controls (BYOD). BYOD refers to a common practice of employers that permit employees to use their personal devices for work purposes. Corporate resources and data that can be accessed or saved on an employee’s device are owned by the organization under BYOD, but the device itself remains the user’s property. The effectiveness of BYOD data protection controls depends on the following:
- how extensively the device can be managed (ie, how much this is allowed by the owner); and
- how well considerations of usability have been balanced with security.
3.9 Evaluate ‘remote-wipe’ capabilities
A system feature or software solution that allows the organization’s administrator to remotely wipe and destroy data on a device or system is known as a ‘remote wipe.’ This functionality is common in mobile device management, and most complete risk management solutions have a remote wipe option. Remote wipe can solve security problems in BYOD regulations and security vulnerabilities in distributed enterprise computer networks. Mobile Device Security: Bring Your Own Device NIST SP 1800-22 Practice Guide Draft is a useful resource for developing device security standards.
3.10 Evaluate data backup controls
Here are just a few of the threats that a backup plan protects data from: hardware failures, human error, cyberattacks, data corruption, and natural catastrophes. A solid data backup platform will allow the user to go back in time to the last known good point before the problem occurred. In the best-case scenario, a backup should allow the user to restore mission-critical data quickly.
The first step is to ensure that the organization has a data backup plan in place. The backup plan’s scope defines the data that must be backed up and the frequency of backups. Some data may not require backup, and other mission-critical data may necessitate ongoing data protection. The organization should make backup management as simple as possible in order to ensure that recovery is a secure procedure.
Consider the following as part of your organization’s backup plan:
- a strategy that outlines the organization’s data backup procedure, including who to engage, which systems and products to use, and where to store the backups;
- a procedure for testing, evaluating, and updating the process;
- a recovery strategy since the ability to restore a backup is only as good as the backup itself;
- employee training so employees can better understand the organization’s data backup strategies and what to expect should a data recovery be necessary; and
- a testing and review plan to ensure data backups are working.
3.11 Evaluate data loss prevention software
Data loss prevention (DLP) technology has become a vital component of an organization’s information security program. Data loss prevention, which is also known as data leak prevention, is a program that uses a combination of technology, strategies, and processes to prevent unauthorized individuals accessing an organization’s sensitive information.
DLP also refers to the tools and techniques that network administrators use to monitor and regulate data transmission. DLP technologies help protect the organization’s data while it is in use, in motion, and at rest. DLP tools and technologies assist in monitoring, detecting, and blocking the transmission of confidential information outside the organization’s network. Algorithms in DLP software assist in deciding whether data flows should be prevented.
There are three primary kinds of data loss prevention software:
- network DLP;
- endpoint DLP; and
- cloud DLP.
Network DLP solutions provide the organization with more insight into the company’s network, allowing the organization to monitor and control information flow via the network, email, and the web.
Endpoint DLP solutions keep track of the servers, PCs, laptops, and mobile devices on which the company’s sensitive data is used, moved, and stored. This protects sensitive information from being lost, or from being accessed or exploited by unauthorized parties.
Cloud DLP solutions secure data in the cloud by encrypting sensitive information. The information is outed only to cloud apps that the organization has approved.
Best practices for data loss prevention include the following:
- determine the objective – define what the organization wants to accomplish with the data loss prevention program. Having a clear goal in mind may help the company decide whether to use network, endpoint, or cloud DLP solutions in the data loss prevention plan;
- identify and classify data – identify and classify the data that is critical to the organization, such as customer information, financial records, source codes, and designs;
- define data security policies – develop and implement comprehensive data security rules and regulations throughout the organization’s network. DLP technology may track, analyze, and block sensitive files from being shared via unsecure sources based on pre-programmed criteria;
- manage access – critical information access and usage should be restricted based on user roles and responsibilities; and
- educate and train employees – educating and training your employees on the necessity of data security and the consequences of data loss on an organization is critical to a DLP program’s success.
Step 4 – Evaluate administrative safeguards
Administrative safeguards are non-technical, ‘soft’ controls regarding appropriate employee behavior, personnel processes, and proper technology usage. The organization should have a good idea of what administrative controls are necessary to protect its sensitive data. Examples of administrative safeguards include employee training, security awareness, written policies and procedures, incident response plans, business associate agreements, and background checks.
Safeguards operate as proactive safeguards against security risks and, therefore, should be effectively administered and communicated regularly as a preventative measure, as opposed to being applied reactively to an incident. Such safeguards should be reviewed regularly to ensure policy adaptation regarding any new technologies implemented within the organization. New or expanded business agreements should also be reviewed, and existing and new hires should be regularly trained on proper use.
4.1 Conduct background checks for employees, contractors, and third parties
There are inherent risks involved in the hiring process, including the risk that candidates may make fraudulent claims. Background checks give organizations an extra layer of protection against employee-related risks and liabilities. Employers should evaluate everyone who represents their company, even if they are independent contractors or temporary workers.
Some companies that work with vulnerable groups, such as minors, people with disabilities, or older adults, are required by state and federal law to do background checks on all employees who come into contact with their clients. Furthermore, several sectors that require government or security clearance must do background checks on all personnel, whether or not they are actually employees of the company.
4.2 Review policies and procedures
All personnel play an essential role in ensuring that an organization’s data is kept secure. Organizations must communicate their policies and procedures to personnel so they are clear about what their information security obligations are. These policies and procedures should address the risks identified during the course of conducting the data security analysis.
Organizations must ensure that personnel are aware of the data security-related policies and procedures as well as the consequences of non-compliance. Policies and procedures are of no value if personnel are unaware of them.
Utilize the organization’s information security team to help verify personnel’s compliance with security policies by using a variety of methods, such as reports from reporting tools, internal and external audits, and feedback to the information security team.
Employees or contractors who do not comply with relevant policies should have their network access rights suspended until they do so. If the employee or contractor has repeatedly or intentionally violated data security policies then appropriate disciplinary action should be taken.
4.3 Review security training provided
4.3.1 Provided to all personnel
All personnel must receive training on how to secure data. Because data security can be compromised by accident or deliberately, training should address both unintentional data misuse and hostile attempts. Cybersecurity training must be part of the new employee onboarding process. In addition to covering the relevant technical information, training should include measures to ensure that new workers understand the importance of cybersecurity, and know how to report any warning signs of attack.
4.3.2 Tailored to position
Security training should be personalized for each person’s job function. Individualized training allows the organization to prioritize training for workers who have access to sensitive information, as well as the departments that are most frequently attacked. Update information about workers’ responsibilities frequently and adjust training accordingly.
4.3.3 Conducted regularly
Conduct cybersecurity awareness training for personnel at least two to three times a year, or more often, if necessary (eg after an attack, or a system upgrade). The less training an organization provides, the more vulnerable it becomes to cyberattacks that target its personnel. Training must be updated continuously to reflect the most recent threats to the company.
4.4 Review incident response plan
Incident response is a structured process used to identify and deal with cybersecurity incidents. Response includes several stages, including preparation for incidents, detection and analysis of a security incident, containment, eradication, full recovery, and post-incident analysis and learning. Identifying an attack, determining its severity and prioritizing it, investigating and mitigating the attack, restoring operations, and taking steps to guarantee the attack will not happen again are all part of the incident response process. An incident response plan should specify the measures to be taken throughout each phase of an incident response. It should include: roles and responsibilities guidelines, communication plans, and defined response methods.
4.5 Review insurance policies
Organizations of all sizes face data security risks, many of which are cyber risks. Use cyber insurance to ensure the organization has financial protection should a cyber event occur. Different types of cyber-insurance coverage are available, including errors and omissions coverage, business interruption coverage, and networking security coverage.
An organization should consult with an experienced insurance broker to determine whether its insurance adequately covers cybersecurity incidents and, if not, what additional cyber coverages are available and best suited to the organization.
Step 5 – Review findings and make modifications
5.1 Review risk evaluation findings
An organization should memorialize its findings in an information and data security report that, among other things, identifies areas of deficiency and recommends changes to reduce risk.
5.2 Identify areas beyond organization’s risk tolerance
In virtually every case, a comprehensive information and data security risk assessment will identify areas of risk and changes an organization could make to mitigate the risk. In many cases, some of these ideal changes will be beyond an organization’s budgetary or practical abilities. Moreover, there will always be some risk information and data security risk involved in running an organization. It is impossible to remove all risk.
For these reasons, an organization must determine which data and information threats are beyond its level of risk tolerance. Risk tolerance is a very organizational specific analysis that takes into account a host of factors, including compliance requirements and penalties as well as the value of an organization’s information assets.
5.3 Make appropriate changes to data and information security policies and procedures
An organization should continuously review and update its cybersecurity policies and procedures, setting and adhering to a regular timetable for doing so. This helps ensure that security is at the forefront of employees’ minds and that the company can better protect data from outside threats.
Changes in regulatory requirements may necessitate amendments to the data and information security policies and procedures. Any time a regulatory change occurs, the company should conduct a policy review to assess the implications of the new legislation and make any required adjustments.
Review and update data and security information policies and procedures if other organizational changes occur. As the organization evolves, so should these policies. Situations that could trigger a review include the following:
- new offices or branches open;
- new applications, services, or devices are added to the company network;
- any of the company systems are decommissioned or retired;
- changes to employee work operations (ie, instituting a BYOD policy, changing core work hours, giving employees the option to work remotely, etc); and
- outsourcing of any of the services or operations.
Trouble with employee compliance could be a signal to reassess the cybersecurity policy.
Most importantly, data and information security policies and procedures must be re-evaluated following a cybersecurity threat or incident. Security and management teams should undertake a debriefing as soon as the incident’s damage has been controlled and operations have been restored. Discuss what led to the incident, what happened as a result, and if the procedures in place were successful in mitigating the harm from the incident. Consider interviewing employees, and examining system and security tool logs as part of the debriefing.
Management can then decide whether security procedures need to be changed and whether to update staff training to ensure that these rules are understood.
Additional Resources
NIST Cybersecurity Framework
ISO/IEC 27001 Framework
CIS Critical Security Controls v8
SOC2 for Service Organizations
Department of Defence CMMC program
Department of Defense CMMC 2.0 Framework
CISA Security Tip (ST18-005): Proper Disposal of Electronic Devices
Related Lexology Pro Content
How-to guides:
How to determine and apply relevant US privacy laws to your organization
How to manage your organization’s data privacy and security risks
How to implement privacy by design within your organization
How to develop, implement, and maintain a US privacy law compliance program
How to develop, implement and maintain a US information and data security compliance program
How to evaluate the effectiveness of a data security or data privacy compliance program
How to develop a vulnerability disclosure program (VDP) for your organization to ensure cybersecurity
How to draft a privacy policy, and privacy and data security provisions in contracts
How to manage third party supply chain data privacy, security risks, and liability
Incident response plan readiness and identification of a reportable data breach
How to prepare for and respond to a governmental investigation or enforcement action for violation of US privacy laws
Checklists:
Understanding privacy laws in the US
Completing a data privacy risk assessment
Drafting internal privacy policies and procedures
Drafting a consumer privacy policy
Developing key privacy and data security contractual terms and provisions (B2C)
Privacy and data security law training
Completing a data incident response plan assessment
Responding to a data breach
Privacy and data security due diligence in M&A
Quick views:
Key data privacy and data security terms
Collection and use of non-consumer data
Regulation of data brokers
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.