• Are we vulnerable to outside attacks or the introduction of malware, worms or viruses that may be introduced? What about employees introducing the same to our network or system? • Have we trained our employees on ways to avoid introducing malware, worms or viruses? What about training on so-called “phishing” attacks as ways to gain entry to the system and data? • Do we encourage employees to share their concerns about outside intrusions and vulnerabilities? • Have our internal controls for information security been reviewed by an independent third party or approved by an outside auditor? • Have we tested our systems for vulnerabilities? When? How? • Have we engaged someone to try and hack into our system to identify its weaknesses? • Do we have a response plan in place in the event of a breach, unauthorized access, interruption of service, or other incident? • Who do we turn to for assistance in the event of a data breach incident that can help us not only to protect and secure our network, but also to recover from such unauthorized access? • Do we have a secure backup system, offsite data vault, or redundant servers and how long until we are up and running after a serious breach? • What costs are we likely to incur in the event of a data breach? • What insurance do we currently have to cover a data breach? Is insurance adequate? • What federal, state, and international laws apply to our business relative to data privacy and security and what obligations do we have to notify and disclose a data breach? • Do we transfer personal data from outside the USA (such as employee data) and if so what legal mechanism do we use Model Contracts? Binding Corporate Rules? • What must be included in a data breach notice and when and to whom must it be disclosed? 164
Made with FlippingBook - Online Brochure Maker