• Observatory Strategic Management Cyber supplementary app. for LCP ₂

    Observatory Strategic Management Cyber supplementary app. for LCP ₂

    Developments in US cyber legislation and regulatory enforcement are likely to force changes to corporate cybersecurity risk management and regulatory reporting from 2023. The following questions are formulated with these new standards in mind.

  • Contact Info

  • Format: (000) 000-0000.

  • Powered by    

  • Operations

    Operations

  • Have you had a SOC 1 or SOC 2 report done?
  • Do you have a Crisis Management Incidence Response Plan?
  • Did you implement any or all of the recommendations contained therein?
  • Browse Files
    Drag and drop files here
    Choose a file
    Cancelof

  • Powered by    

  • Cloud

    Cloud

  • Have you asked your IT staff or the 3rd party who implemented your cloud solution if the following documentation from the Cloud Security Alliance was consulted and can they provide proof that best practices were followed:

  • Please Check Each that apply.
  • Have you evaluated, understood and mandated regulatory standards for putting client information in The Cloud?

  • Powered by    

  • Governance

    Governance

  • Do you plan to comply with the standards set out under ISO 27001?

  • Powered by    

  • Passwords and Access

    Passwords and Access

  • Do you segment your network access, so every system’s password is different and independent from each other? [This implies organizations cannot use Single-Sign-On (password or identity) to access all systems at once.]
  • Do you manage, control and encrypt all employees’ passwords – i.e., employees cannot bring their own keys or know their passwords?
  • Do you use automatically generated long random passwords for every system? [people can’t create passwords; 15 character minimum for high entropy]
  • Do you have an access audit system in place that records every access event?

  • Powered by    

  • Hygiene

    Hygiene

  • Does your firm mandate cyber training for ALL employees, Directors and Officers?
  • Are your employees specifically prohibited from using work email outside of work?
  • Do you have anyone maintain your URL and your Web domain’s DNS?

  • Powered by    

  • Hygiene

    Hygiene

  • If you merged with or acquired a new entity within the past 36 months, did you conduct a supply chain review of their cyber hygene?

  • Powered by    

  • Privacy

    Privacy

  • Do you know where your private protected data resides?
  • Do you conduct regular Data Protection Impact Assessments?
  • Do you ensure that appropriate security measures are in place to protect the protected data you hold?
  • Do you have contracts in place with all third-party data processors?
  • Do you implement pseudonymization and encryption of data, when appropriate for the level of risk to individuals whose data you collect?
  • Do you have a privacy training program in place for employees and anyone who has access to personal data.
  • Do you regularly review the data you collect and delete any data not needed for specific business needs?

  • Powered by    

  • Privacy (Cont.)

    Privacy (Cont.)

  • Do you ensure that protected data is only stored and processed in the country or region it is collected and is only transferred to third parties that store and process the data according to these same privacy principles?
  • Do you provide personal data in a portable and readily usable format to verified individuals who request their data?
  • Do you have a process to verify the identity of individuals making requests?
  • Do you have a corporate or organizational privacy policy?
  • Have you formally appointed a Data Protection Officer and made their contact information public for customers to access?
  • Do you receive consent from customers/users before collecting their data?
  • Do you communicate to customers what information you are collecting and for what purposes?

  • Powered by    

  • Privacy (Cont.)

    Privacy (Cont.)

  • Do you give your customers/users the ability to access the data you have collected on them?
  • Do you give your customers/users the ability to object to you collecting their protected data?
  • Do you have a process in place to ensure that the data collection has been stopped and that the user is notified that collection has stopped?
  • Do your customers/users have the ability to delete the information you have collected on them?
  • And/or have you applied anonymization to data?
  • Do you have a process in place to ensure that the information is deleted or anonymized and that the user is notified that the information has been successfully deleted or anonymized?
  • Do you provide your customers the ability to correct any information about them that is incorrect?
  • Do you have a process in place to ensure that information is rectified and that the user is notified that the information has been successfully corrected?
  • Do you ensure that a person will not face retribution if they exercise their rights.
  • Do you offer an appeals process?
  • Do you provide the consumer with a mechanism through which to contact the appropriate governmental or outside group to whom the individual can appeal further or submit a complaint.
  • Do you have measures in place to get a parent's consent before collecting data on children under 16 years of age?
  • Do you have technology and processes in place to be able to detect if a breach occurs?
  • Do you have a breach response plan?
  • Browse Files
    Drag and drop files here
    Choose a file
    Cancelof

  • Powered by    

  • Insurance

    Insurance

  • Is your existing insurance program based upon standard applications and policies or were risk mitigation initiatives discussed and considered with a view to enhancing coverage?

  • Powered by    

  • Should be Empty: