Personnel will guard against confidential information being verbally exposed to customers, disinterested personnel or others who do not have a business reason for having access to the information. For example, to the extent practical, personnel will not discuss files on the telephone or with others whenever unauthorized persons are within earshot.

Personnel will guard against confidential information being visually exposed to customers, disinterested personnel or others who do not have a business reason for having access to the information. For example, to the extent practical, personnel will keep files closed and keep paperwork face-down on the desk. At the end of the workday and to the extent practical, personnel will remove paperwork, files and other confidential items from the desk and workspace and place these items in a file cabinet, desk or other, more-secure location.

Confidential data may be accessed only by personnel with a legitimate business need for that data. When appropriate and to meet industry standards, the Company will strive to prevent inappropriate access to confidential data by utilizing physical controls, software controls, hardware controls, training and personnel screening.

When appropriate, personnel will lock doors, cabinets, filing cabinets, etc., that contain confidential data. Alarm systems will be set nightly. Documents with confidential data will be shredded when no longer utilized. Breaches of physical controls will be investigated.

All of the Company’s various computer systems that contain confidential data will be safeguarded with software controls. All personnel will be assigned an appropriate level of access to the Company’s various computer systems. All personnel will be required to use a unique user ID and secure password to access the Company’s various computer systems. Repeated failed attempts to gain access to information will result in an automatic timeout. Breaches of software controls will be investigated.

Hardware controls such as routers and firewalls will be utilized when appropriate. Breaches of hardware controls will be investigated.

Vendor management
Contracts with vendors that receive or have access to confidential customer information will include a contractual obligation that the vendor must comply with this policy or with similar confidentiality restrictions. Examples of vendors with whom the company should be concerned include account-ants, attorneys, network/computer consultants, cleaning personnel, etc.

Incident responses to security breaches
A security breach will be considered to have occurred whenever it is confirmed or suspected that one or more customers’ confidential data have been made available to the general public. For each security breach, the Information Security Officer will determine whether one or more of the following may be appropriate: 1. notify the customer; 2. notify lawenforcement agencies; 3. discipline personnel; and/or 4. make changes to Company policies or practices.

Training
At start date and at least annually thereafter, all personnel will receive information and/or training of the issues discussed in this policy.

Noncompliance with policy
Noncompliance with this policy may result in immediate termination. If applicable, noncompliance may result in a criminal referral to federal and other authorities.

To summarize: Be sure that you are providing a privacy notice that represents your company’s actual practices. And adopt an information-security program — and enforce it.

James D. Russell, CPA, is the managing partner of MTG Consult and can be reached at www.mtgconsult.com, james@mtgconsult.com or (512) 328-1777. The author is not an attorney, and this article is not intended as legal advice. You should obtain an attorney for any legal advice.

Page: 1 2 3 Previous