23 - Privacy / Electronic Media Controls
Most companies have electronic and internet media activities. If proper controls are not instituted, these activities can present significant risks to an organization. The controls will have to be adequate for the type of exposures (discussed in another risk factor: Advertising and electronic media) ranging from data and information security breaches, viruses and identity theft etc.
What do we look for?
- No policy on internet and electronic media.
- No or limited system protection in place.
- No legal review of contracts for compliance and security.
- Lack of awareness of IT risks.
- Comprehensive IT security policy in place.
- Up-to-date systems protection, including password, virus protection, firewalls, encryption of critical data in transmission and storage, security updates and patches, etc.
- Awareness training to management and employees.
- Implement a comprehensive IT security policy that is appropriate to the level of electronic data and internet media exposure.
- Provide IT security awareness training to management and employees.
- Data Protection Act 1984 - UK
- FPA RC3-3 electronic equipment – protection of data & software.