Identify Risks

  1. An annual assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information.

  2. Create an inventory of all computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers, and other equipment used by the organization.

  3. Locate and identify sensitive data and identify on which device(s) the data is stored. Also record which employee has access to the data.

  4. Identify client information transmitted via email, cloud services, firm websites, custodians and other third party vendors.
     

Protect

  1. Establish authentication procedures for employee access to email on all devices (computer and mobile devices).

  2. Passwords for access to email are changed frequently (e.g. monthly, quarterly).

  3. Client instructions received via email are authenticated.

  4. Due diligence has been conducted on the cloud service providers, custodians and other third party vendors and evaluated as to whether they have documented safeguards against breaches.

  5. All records are backed up off-site.

  6. Address data security and/or encryption requirements when transmitting information.

Respond and Recover

  1. A plan and procedure in place to immediately notify authorities and clients in the case of a security incident or breach.

  2. A business continuity plan to implement in the event of a cybersecurity event.

  3. A process for retrieving backed up data and archival copies of information.

  4. Policies and procedures for employees regarding the storage and archival of information.