Do you know what types of information your company holds?
Has this information been classified into different data types (e.g. by level of confidentiality)?
Do you enforce security and regulatory requirements based on data type?
Do you know how your employees and customers access your data?
Is your company aware of the risks associated with a potential breach for each data type?
Data Handling Best Practices
Do you encrypt sensitive, proprietary or confidential information?
Is your data restricted on a "need-to-know" basis?
Do you have an internal monitoring program to monitor data access?
Do you have a formalized data retention and secure destruction process?
Do you perform risk assessments on your internal and external processes and systems?
Do you have a formalized Data Handling Guideline?
Do you credential your employees, customers and vendors prior to providing access to data?
Do you have an ongoing process to ensure employee, customer and vendor compliance?
Is your data protected by legal agreements?
Do you have a dedicated internal security and privacy team?
Incidence Response Planning
Have you identified an Incident Response Team (an "IRT")?
Does your IRT include representatives from Security, Legal, IT, Marketing, Branding/PR, Customer Services, and Senior Executive/Leadership Team?
Does your IRT operate under a documented process and communication plan that includes defined roles, responsibilities and response strategies?
Does the above plan include external communications to customers, media, regulatory bodies and other key persons?
Have you identified the types of incidents that the IRT will manage?
Have you identified key external contacts that will assist the IRT for each incident (e.g. Equifax)?
Have you identified key internal contact that will help the IRT identify the cause and scope of the incident?
Is your IRT deployable 24/7?
Do you have an ongoing process to test your IRT?
Do you analyze, archive and refer back to lessons learned from past incidents?
Culture Of Compliance
Could you pick out the members of your privacy and security teams from a line-up?
Do you have an ongoing security and privacy awareness program deployed to all employees?
Do you conduct ongoing training throughout your organization?
Do you have budgeted resources to implement these programs?
Is Compliance part of your strategic plan?