About Us Membership Resources OTA Members Login

Anti-Malvertising   l    Data Breach Response   l   DNSSEC  l   Email Authentication    l    EV SSL Certificates   l   Glossary   

SECURITY BY DESIGN

Security by Design Guidelines (PDF)        Press Release        Supporting Organizations        Top 20 Questions        Resources     

To assist in the development and implementation of an effective security strategy plan and incident response plan, organizations are encouraged to audit their level of preparedness by surveying their team and vendors with the following questions

  1. Do you know what sensitive information is maintained, where it is stored and how it is kept secure?  Do you have an accounting of all information stored including backups and archived data?

  2. Do you know what data elements or attributes are being stored?

  3. Who has access to each data set and data elements?  Is access limited by account or client responsibility?  (Limited vs administrative rights, read only, etc.)

  4. How do you provision new user accounts, audit user rights and revoke them on job changes or termination? Do you have a comprehensive password management system?

  5. Do you have intrusion detection systems?  How often do you review and test them?

  6. How do you monitor outbound systems for abnormal or malicious usage?

  7. What logs are maintained, how are they secured and used for intrusion detection?  Do you have a process and procedure for regular review?

  8. Is your definition of personal information current and in line with both applicable industry regulation and customer’s expectations?

  9. Do you have a trained incident response team in place ready to respond 24/7?

  10. Is your executive management aware of security, privacy and regulatory requirements related specifically to your business (including breach notifications requirements in the US, Canada and the EU)?

  11. Have you conducted a comprehensive audit of your data flows across the enterprise and vendors including a privacy and security review of all data collection and management activities?

  12. Are security disclosures and requirements included in your terms of service and service contract with customers and vendors?  Do your contractual requirements account for exceptional risk and liability due to nature of the work or service provided by third party vendors?

  13. Are you prepared to communicate to customers, partners, shareholders and the community at large in the event of a data incident?

  14. Are employees equipped to notify management of security incidents, including intrusion, breach, data misuse or data loss?

  15. Have you coordinated with all departments with respect to an data loss incident?  (for example information technology, corporate security, marketing, governance, fraud prevention, compliance, HR and regulatory teams) with respect to breach readiness?

  16. Have you developed relationships with law enforcement and forensics services in advance of an incident and understand their data requirements and how to work with them?

  17. Do you have a privacy review and audit system in place for all data collection, storage, manipulation or usage activities, including those of third-party service providers and partners? Have you taken necessary or reasonable steps to protect customer confidential data?

  18. What processes do you have in place for data minimization, secure archiving and data destruction?

  19. Have you considered updating your Terms of Use to provide an ability to examine customer data files and share information with forensics specialists and law enforcement officials and to investigate reports of misuse?

  20. Have you developed a mutual understanding with your service providers of the security requirements they must adhere to in managing or processing your data?

 

Download the report Security by Design Guidelines

 

 

 

 

 

Revised April 20, 2011