Contingency Plan – procedures designed to ensure the ability to continue operations in the event of an emergency, such as a data backup plan, disaster recovery plan, and emergency mode operation plan
Incident Response Plan -- a plan for taking responsive actions in the event the company suspects or detects that a security breach has occurred, including ensuring that appropriate persons within the organization are promptly notified of security breaches, and that prompt action is taken both in terms of responding to the breach (e.g., to stop further information compromised and to work with law enforcement), and in terms of notifying appropriate persons who may be potentially injured by the breach.
Oversee Third Party Service Provider Arrangements
In today’s business environment, companies often rely on third parties, such as outsource providers, to handle much of their data. When corporate data is in the possession and under the control of a third party, this presents special challenges for ensuring security.
Laws and regulations imposing information security obligations on businesses often expressly address requirements with respect to the use of third party outsource providers. And first and foremost, they make clear that regardless of who performs the work, the legal obligation to provide the security itself remains with the company. As it is often said, “you can outsource the work, but not the responsibility.” Thus, third party relationships should be subject to the same risk management, security, privacy, and other protection policies that would be expected if a business were conducting the activities directly. 104
Accordingly, the developing legal standard for security imposes three basic requirements on businesses that outsource: (1) they must exercise due diligence in selecting service providers,105 (2) they must contractually require outsource providers to implement appropriate security measures,106 and (3) they must monitor the performance of the outsource providers. 107
HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(7)
103 Ziff Davis Assurance of Discontinuance, Paras. 24(d) and 26, pp. 5,6; HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(6)(i); GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part III.C
104 See, e.g., Office of the Comptroller of the Currency, Administrator of National Banks, OCC Bulletin 2001-47 on Third Party Relationships, November 21, 2001 (available at www.OCC.treas.gov/ftp/bulletin/2001-47.doc).
See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.D(1)
106 See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.D(2); HIPAA Security Regulations, 45 C.F.R. Section 164.308(b)(1) and 164.314(a)(2)
GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part II.D(3).