Treatment of Data
■ The vendor must maintain all information it receives from the client as confidential. Tire vendor should be liable for any unauthorized disclosures or use of data by its personnel or a subcontractor. No data should be removed by a vendor.
■ Consider securing the physical grounds where data is kept, including using locks and restricting access. Servers should be separated from highly sensitive information in rooms with added security and restricted access.
■ Consider requiring security guards and cameras.
■ If a vendor is responsible for the storage and protection of a company’s data, the company should ensure that the vendor stores the information in a physically and logically secure environment that protects it from unauthorized access, modification, theft, misuse, and destruction.
■ All personnel who have access to data should be required to execute a nondisclosure agreement.
■ Similar protections should be used with respect to trade secrets.
■ A written security plan should incorporate the use of passwords and portable computing devices (e.g., laptops and smartphones), as well as portable storage devices (e.g., USB drives). Tire plan should also mandate the use of encryption on any device that provides or enables access to any confidential or sensitive information, including any client intellectual property. In the midst of developing a plan, one should be constantly aware of the ability to remotely track or wipe portable devices when they are reported lost or stolen. Consider procedures for and management of the use of removable media, including keeping logs of use.
■ Use permission settings and restrictions. Users and vendors should not have rights or access to any information, systems, or programs that they should not have.
■ Consider separating networks or systems to which vendors do not have access from systems to which they do not require access.
■ Keep permanent logs of any access to the information, including logs of all activity and system, program, or user faults.
■ Vendors shall not allow unauthorized access to companies’ data. Companies should not allow their users or vendors to install or remove any programs without their authorization. Require vendors that hold or access data to implement reasonable security procedures.
■ Require vendors, at a bare minimum, to follow and abide by all regulatory requirements, including:
- - Gramm—Leach-Bliley
- - HIPAA Security Rule/HITECH Act
- - FFIEC Guidance
- - States (e.g., California, Massachusetts, Nevada)
- - Federal Trade Commission
■ Document all equipment and systems to which vendor has access and regularly ensure that it is protected and not tampered with.
■ Enable the use of firewalls to protect computers and networks.
- Require that when vendors access company’s systems and networks that they use firewalls, antivirus programs, and VPNs.
■ Ensure that all connections to the Internet are secure. In the alternative, if an Internet connection is not needed for certain computers, consider disconnecting them.
■ Implement intrusion detection systems.
- - Encrypt all sensitive data.
- - Clients should have procedures regarding data in transit, including:
- - Encryption of all information in transit.
- - Protection by vendor from unauthorized access, misuse, and disclosure of data in transit.
- - Logging of all data in transit.
■ Maintain separate environments for testing and production.
■ Ensure that all vendor personnel are aware of the security requirements, including access and disclosure restrictions. Consider regular or annual trainings and reminders.
■ Companies should have the ability to request the removal of any personnel that present a security threat.
■ All vendor personnel should be screened prior to gaining access to any data. Screening should include character references, confirmation of claimed academic and professional qualifications, and an identity check.
■ Control over access. Company personnel should be required to escort vendors when moving throughout companies facilities. All contractor personnel should have identification that indicates their status, security clearance, and access.
■ Review and scan any materials or equipment that vendor personnel take out of companies’ facilities.