Information Security

California’s landmark SB1386 was the first data breach law enacted. A data breach law covers the requirements companies have to notify consumers whose personal information has been compromised (such as a copy being stolen or lost, and presumably in the hands of someone not entitled to have that information). A significant majority of U.S. states have followed suit, although each has its own requirements. The four basic tenets are as follows:

1. Notification guidelines: when a company is required to inform people whose data privacy has been breached

2. Penalty for failure to disclose: whether

3. Private right of action: if/when individuals have the right to file a lawsuit

Download Free Network Security Outsourcing Agreement

- Aims of the agreement
- Term of agreement
- Scope of services
- Provider’s responsibilities
- Bank’s responsibilities

Download Free Physical security policy checklist

1. Is the exterior of the building reviewed on a regular basis for protection deficiencies, such as cracked windows or unlocked doors?
2. Is there a process to identify vendors, contractors, and visitors before they enter the business area?
3. Is the lighting adequate to illuminate critical interior and exterior areas?
4. Are the entranceways blocked enough to block intruders and efficient enough for staff?

Download Free ISO 27001 Information Security Strategic Priorities Checklist

1. Assessing and protecting key information assets and critical infrastructure, including interdependent physical and cyberinformation systems.
2. Limiting the risk to enterprise assets through the use of administrative, technology, and physical means.
3. Ensuring privacy of information related to employees, partners, and customers.
4. Ensuring the enterprise is compliant with all required regulations and other regulations that may affect clients and partners.

Download Free Information Security Policy Assessment Checklist

1. Is there an executive directive/statement to ensure there is an information security architecture that includes risk, governance, ethics, compliance, privacy, and protection of enterprise assets? Are enterprise roles, responsibilities, and accountabilities defined? Are the executive team and the board of directors on the same page?
2. Are there data/information requirements stating that it must be available, accessed by need to know or have, and in the most accurate format?
3. Are staff required to acknowledge policies on new hire and termination, and at regular intervals? Are the staff types of enterprise network access defined? Is an enterprise asset defined?
4. What types of services and applications are permitted on the enterprise network, who is permitted to perform the installs and removals, and who is permitted to perform the monitoring? How are connections (hardwired, wireless, remote) defined to the enterprise network?