• What internal controls are used to detect employee abuses and are they adequate? • Are we vulnerable to outside attacks or the introduction of malware, worms or viruses that may be introduced? What about employees introducing the same to our network or system? • Have we trained our employees on ways to avoid introducing malware, worms or viruses? What about training on so-called “phishing” attacks as ways to gain entry to the system and data? • Do we encourage employees to share their concerns about outside intrusions and vulnerabilities? • Have our internal controls for information security been reviewed by an independent third party or approved by an outside auditor? • Have we tested our systems for vulnerabilities? When? How? • Have we engaged someone to try and hack into our system to identify its weaknesses? • Do we have a response plan in place in the event of a breach, unauthorized access, interruption of service, or other incident? • Who do we turn to for assistance in the event of a data breach incident that can help us not only to protect and secure our network, but also to recover from such unauthorized access? • Do we have a secure backup system, offsite data vault, or redundant servers and how long until we are up and running after a serious breach? • What costs are we likely to incur in the event of a data breach? • What insurance do we currently have to cover a data breach? Is insurance adequate? •What federal, state, and international laws apply to our business relative to data privacy and security and what obligations do we have to notify and disclose a data breach? • Do we transfer personal data from outside the USA (such as employee data) and if so what legal mechanism do we use Model Contracts? Binding Corporate Rules? 160
Made with FlippingBook - Online Brochure Maker