Technology Diligence
In addition to considering product, organization, business value drivers, applications and infrastructure, each technology diligence should consider security.
Security concerns include:
Regulatory Demands
To what regulatory demands is the target subjected?
Common requirements include:
HIPAA – Health Insurance Portability and Accountability Act, PCI – Payment Card
Industry Security Standards Council, FISMA – Federal Information Security Management Act, GLBA – Graham-Leach-Bliley Act, ISO 27001, SOC 2 Privacy – Covering personally identifiable information handling, SOC 1 – Service organization
Content and Location
What data do we receive or collect (with and without consent), and how is it stored?
Health, financial and personally identifiable information is highly sensitive, and is often received through numerous channels. The information is stored in various formats, including: paper, email, fax, application and web.
How can data stored on paper be secured?
Are email and application databases stored locally or on a cloud provider network?
Segregation
How is the data physically and logically segregated?
If data is stored locally, how is it segregated at the application and network level?
Controls
Preventive and detective controls should be considered, primarily:
– logical and physical access
– encryption, change control
– backup
– disaster recovery
– destruction
Service Level Agreement
Is a service level agreement in place for third party providers, including uptime standards, recovery standards and controls?
Other Considerations
Adequate insurance coverage
Potential legal, public relations, branding and customer impacts
Backup, disaster recovery and ability to continue operations
Management buy-in and adherence