2017 GNYADA Membership Directory

HOT TOPICS

Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information. It’s wise to: • Know the life cycle and path of information that comes into your network. Monitor for any irregularities which may indicate an intruder has gained access to your system; • Keep logs of activity on your network and monitor them for signs of irregular activity or unauthorized access to customer information; • Use an up-to-date intrusion detection system to alert you of attacks; • Monitor both in- and out-bound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmitted from your system to an unknown user; • Insert dummy accounts into each of your customer lists and monitor the dummy accounts to detect any unauthorized contacts or changes; • Assess the vulnerability of your website and computer network to commonly known and reasonably foreseeable attacks, such as SQL injection attacks. Stress testing your system regularly by a security firm is a good practice to meet this requirement; • Implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks; • Use readily available security measures to monitor and control connections from your network to the Internet; • Prevent users from downloading “P2P”file-sharing network software that can allow any network user to access other users’data servers; • Employ reasonable measures to detect unauthorized access to consumer information such as by keeping log events, paper file access records, and other records of persons accessing consumer information. Watch for changes in users’access behavior. If a user’s access to customer records increases unexpectedly, quickly find out why; • Implement system procedures to preclude downloading of customer information to portable media such as USB drives or external hard drives. Ideally, customer information should remain on a server with read-only access on user devices; • Conduct regular audits of your security system and operations to determine the effectiveness of your Safeguards program and to correct any deficiencies; and • Make customer information “read only”and not downloadable to any remote devices such as cell phones or tablets. These devices are typically harder to secure and should not have customer information retained in their hard drives. Take steps to preserve the security, confidentiality, and integrity of customer information in the event of a security incident or data breach in accordance with your Incident Response Plan which must be part of your Safeguards Information Security Program. If a breach occurs: • Take immediate action to secure any information that has or may have been compromised. For example, if a computer connected to the Internet is compromised, disconnect the computer from the Internet but do not unplug it so you can make a forensic copy. Do the same for infected servers.

MEMBERSHIP

DIRECTORY

2017

120