 |
|
 |
 |
Services offered:
Vendor Compliance Audits
Compliance with the Federal Information Security
Management Act, GLB or HIPAA, is one of the most
daunting challenges that chief information security
officers. A company must be responsible and
accountable for how their vendors access and use
non-public data. The vendor must maintain and
implement comprehensive information-security
policies and practices to deal with security threats
that concern government entities and businesses
alike.
Merging of offline and online data telephone, fax,
wireless and location tracking devices and merging
with legacy data can create potential problems for
the customer. Integrating legacy data and associated
permissions (EBR rules, archiving data…etc) is very
complex. We review access, analyze, and recognize
risk, and issue specific recommendations for global
or enterprise compliance.
We have a proven methodology and train company
personnel to perform internal assessments and
analyze risk on an ongoing basis. We develop
training methodologies for enterprises with changing
management and support personnel.
Our vendor audits are comprehensive, but we approach
it sensibly and respectfully knowing there is a
special relationship that exists between the company
and the vendor.
We will identify the gaps that exist and measure the
risk appropriately to the type of information used
or stored by the vendor.
An Example of a review might look like the below:
PRIVACY POLICY
Under the defining Gramm-Leach-Bliley the
requirements are reported stating the requirement
for notification and Opt-out policy. Also under the
FTC Unfair business practices Section 5.
REQUIREMENT:
The organization must have a policy that extends to
all aspects of their business or business units.
Different policies may have to be developed for EU,
Canada or other countries. In each policy it is the
requirement to have consumers’ rights, use of data,
explanation of sharing, notification definition, and
opt-out policies and consumers’ rights defining
recourse if appropriate to the business.
BEST PRACTICE:
The organization will have a legally prepared
privacy policy covering all aspects of its business,
granting rights and recourse to the consumers. It
shall state what recourses the customer would have
should a breach occur, how the information collected
is to be used and the ability of the customer to
opt-out of data collected. The policy will also
describe in detail of the information-handling
practices.
Interview Synopsis:
There was no privacy policy posted or delivered to
us for review.
Findings:
There was no privacy policy posted or delivered to
us for review.
|
Rated Area |
Best Practices |
Compliant |
Not Fully
Compliant |
Not Compliant |
Unable to Rate |
Risk Level |
|
Privacy Policy Description |
|
|
|
X
|
X |
4 |
|
Description
Privacy Policy Elements |
Recommendation/Comments:
Create a privacy policy and
post it on the website, have said policy in hard
copy form to distribute to the employees and send a
copy of said policy to vendors.
|
|
|
|
|
|
|
|
|
|
|
| |