In addition to considering product, organization, business value drivers, applications and infrastructure, each technology diligence should consider security.

Security concerns include:

Regulatory Demands

To what regulatory demands is the target subjected?

Common requirements include:

HIPAA – Health Insurance Portability and Accountability Act, PCI – Payment Card

Industry Security Standards Council, FISMA – Federal Information Security Management Act, GLBA – Graham-Leach-Bliley Act, ISO 27001, SOC 2 Privacy – Covering personally identifiable information handling, SOC 1 – Service organization

Content and Location

What data do we receive or collect (with and without consent), and how is it stored?

Health, financial and personally identifiable information is highly sensitive, and is often received through numerous channels. The information is stored in various formats, including: paper, email, fax, application and web.

How can data stored on paper be secured?

Are email and application databases stored locally or on a cloud provider network?

Segregation

How is the data physically and logically segregated?

If data is stored locally, how is it segregated at the application and network level?

Controls

Preventive and detective controls should be considered, primarily:

– logical and physical access

– encryption, change control

– backup

– disaster recovery

– destruction

Service Level Agreement

Is a service level agreement in place for third party providers, including uptime standards, recovery standards and controls?

Other Considerations

Adequate insurance coverage

Potential legal, public relations, branding and customer impacts

Backup, disaster recovery and ability to continue operations

Management buy-in and adherence

At Greenwood, we assess technology products, applications and infrastructure – focusing on future trends, security, compliance, scalability, capital and operating expenditures and value creation opportunities.