1. Obtain an understanding of the data security strategy.

Identify the financial institution’s approach to protecting data (e.g., protect all data similarly, protect data based upon risk of loss). Obtain and review the risk assessment covering financial institution data. Determine Whether the risk assessment classifies data sensitivity in a reasonable manner and consistent with the financial institution’s strategic and business objectives.

Consider whether policies and procedures address the protections for data that is sent outside the institution. Identify processes to periodically review data sensitivity and update corresponding risk assessments.

2. Verify that data is protected consistent with the financial institution’s risk assessment.

Identify controls used to protect data and determine if the data is protected throughout its life cycle (i.e., creation, storage, maintenance, transmission, and disposal) in a manner consistent with the risk assessment.

Consider data security controls in effect at key stages such as data creation/acquisition, storage, transmission, maintenance, and destruction.

Review audit and security review reports that summarize if data is protected consistent with the risk assessment.

3. Determine whether individual and group access to data is based on business needs. 4.

4. Determine whether, where appropriate, the system securely links the receipt of Information with the originator of the information and other identifying information, such as date, time, address, and other relevant factors.

www.bestitdocuments.com