7
Risk Assessment
Has your organization conducted a risk assessment that identifies reasonably foreseeable internal and external risks?
To answer this question, consider your responses to the following questions:
Has your organization identified threats to security and information and attempted to assess the likelihood and potential impact of these threats?
Has your organization performed a rigorous assessment of potential risks to security and data?
Does your organization have documented plan identifying areas for improving cybersecurity?
Risk Assessment
8
Controlling Risk
Does your organization have an ongoing process to continuously assess the sufficiency of the safeguards that you have in place?
To answer this question, consider the following:
Does your organization have a Data Security Policy or Data Breach Policy in place?
Have cybersecurity and data security policies been adequately socialized with your staff?
Are staff aware of the implications and consequences of violating such policies?
Does your organization have a process for onboarding new staff that includes training on cybersecurity and data policies?
Are there established intervals (e.g. quarterly) for reassessment of risk, modifying policy and re-training staff?
Controlling Risk
11
Vendor Safeguards
Does your organization have a process for selecting and contracting with service providers who also maintain reasonable safeguards?
To answer this question, consider your responses to the following questions:
Does your organization perform a standard vetting process for establishing the security posture of third party vendors and other service providers?
Does your organization include in its contracts requirements that third parties provide reasonable safeguards to protect private information?
Vendor Safeguards
13
Review Process
Does your organization have an established, documented process for regularly reviewing your cybersecurity program?
To answer this question, consider the following:
Does your organization have a process for regularly evaluating your security program?
When business practices change, such as new programs are added or staff are expended, do you evaluate how this affects your cybersecurity and data security programs?
When adopting new software programs, do you evaluate these in light of your organizational security requirements?
Review Process
16
Response Plan
Does your organization maintain a process for detecting, preventing or responding to an attack or system failure?
To answer this question, consider your responses to the following questions:
Does your organization maintain a practice of ensuring that anti-malware is installed on all systems that interact with its networks? That includes personal computers when people are working from home.
Does your organization have a way of monitoring suspicious traffic?
Do you have a documented plan for responding in the event of an attack—this is also commonly referred to as an Incident Response Plan ? The NY SHIELD Act requires notification within 72 hours—would you organization be able to do that?
Response Plan
17
Testing and Monitoring
Does your organization have a defined process for regularly testing and monitoring all key controls, systems and procedures?
To answer this question, consider the following:
Does your organization implement regular penetration testing to test the effectiveness of your systems to protect against attack?
How does leadership at your organization know if your current systems are capable of protecting private information?
Testing and Monitoring
19
Intrusions
Does your organization have a system for detecting, preventing and responding to intrusions?
To answer this question, consider your responses to the following questions:
Does your organization prevent unauthorized access, through requiring staff to use keycards and securing all access points?
Do you have systems in place to detect network and other systems intrusions?
Do you monitor alerts for hosted and cloud services?
Intrusions
20
Unauthorized Access
Does your organization have a process in place to protect against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of information?
To answer this question, consider whether your organization has:
Data governance in place and administrators fully understand the lifecycle of data/information when it is being collected, transported, destroyed or disposed of
Defined and documented safeguards in place at each of these stages that would ensure against unauthorized access
Unauthorized Access
21
Disposal
Does your organization have a process for disposing of private information within a reasonable amount of time, after it is no longer needed for business purposes?
To answer this question, consider the following:
Does your organization have a Data Retention Policy?
Is there an end of life built into your organization's data life cycle?
Does your organization have a secure process for destroying or purging data when it is no longer needed?
When data is no longer needed, is it removed in a way that ensure it can not be read or reconstructed?
Disposal