HOT TOPICS

2017

MEMBERSHIP

DIRECTORY

120

Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information.

It’s wise to:

•

Know the life cycle and path of information that comes into your network. Monitor for any irregularities

which may indicate an intruder has gained access to your system;

•

Keep logs of activity on your network and monitor them for signs of irregular activity or unauthorized access

to customer information;

•

Use an up-to-date intrusion detection system to alert you of attacks;

•

Monitor both in- and out-bound transfers of information for indications of a compromise, such as

unexpectedly large amounts of data being transmitted from your system to an unknown user;

•

Insert dummy accounts into each of your customer lists and monitor the dummy accounts to detect any

unauthorized contacts or changes;

•

Assess the vulnerability of your website and computer network to commonly known and reasonably

foreseeable attacks, such as SQL injection attacks. Stress testing your system regularly by a security firm is a

good practice to meet this requirement;

•

Implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks;

•

Use readily available security measures to monitor and control connections from your network to the

Internet;

•

Prevent users from downloading “P2P”file-sharing network software that can allow any network user to

access other users’data servers;

•

Employ reasonable measures to detect unauthorized access to consumer information such as by keeping log

events, paper file access records, and other records of persons accessing consumer information. Watch for

changes in users’access behavior. If a user’s access to customer records increases unexpectedly, quickly find

out why;

•

Implement system procedures to preclude downloading of customer information to portable media such as

USB drives or external hard drives. Ideally, customer information should remain on a server with read-only

access on user devices;

•

Conduct regular audits of your security system and operations to determine the effectiveness of your

Safeguards program and to correct any deficiencies; and

•

Make customer information “read only”and not downloadable to any remote devices such as cell phones or

tablets. These devices are typically harder to secure and should not have customer information retained in

their hard drives.

Take steps to preserve the security, confidentiality, and integrity of customer information in the event of a security

incident or data breach in accordance with your Incident Response Plan which must be part of your Safeguards

Information Security Program. If a breach occurs:

•

Take immediate action to secure any information that has or may have been compromised. For example, if a

computer connected to the Internet is compromised, disconnect the computer from the Internet but do not

unplug it so you can make a forensic copy. Do the same for infected servers.