Written Data Security Plan

Create new WISP


WISP Sign-in
WISP


External Risk Mitigation: Protecting PII from Security Threats

How to use Effective Strategies for Mitigating External Risks to PII Security

Discover proven strategies for external risk mitigation to safeguard Personally Identifiable Information (PII) from cyber threats and unauthorized access.  Our comprehensive approach includes secure user authentication, network protection policies, and data encryption to ensure the confidentiality and integrity of sensitive information.  Learn how to implement robust safeguards and stay compliant with industry standards while protecting your business from external security threats.

Attributes of Key Policies and Best Practices for External Risk Mitigation

External Risk Mitigation: Safeguarding PII from External Threats

To address external threats that could compromise the security, confidentiality, or integrity of records containing Personally Identifiable Information (PII), the firm has established comprehensive policies and procedures. These measures aim to strengthen existing safeguards and address potential vulnerabilities.

Network Protection Policy

  1. Firewall and Software Security
    • Firewalls, operating system security patches, and all relevant software must be up to date on any device accessing the firm’s network, including third-party devices.
    • Anti-virus, anti-malware, and internet security software must be current and installed on all systems storing or processing PII.
  2. Secure User Authentication
    • Implement secure protocols for user authentication, including:
      • Username ID and password management.
      • Two-Factor Authentication (2FA) for enhanced security.
      • Strong password requirements, such as a mix of upper and lower-case letters, numbers, and special characters, with a minimum length of 8 characters.
      • Mandatory password changes every 90 days or sooner if necessary.
      • Exclusive use of firm-related passwords, separate from personal credentials.
  3. Monitoring and Logging
    • Continuous monitoring for unauthorized access to PII.
    • Event logging enabled on all systems containing PII, with logs reviewed randomly within 90-day intervals by the Data Security Coordinator (DSC) or IT partner.
  4. Firewall Management
    • Maintain a secured firewall between the internet and the internal network, updated per vendor recommendations. Software-based firewalls must also be enabled on workstations.
  5. Operating System Updates
    • Continuously review and install OS patches and security updates. A thorough security review will be conducted every 30 days by the DSC.

User Access Control Policy

  1. Two-Factor Authentication (2FA)
    • All remote logins require 2FA, using tools like Google Authenticator or Duo.
  2. Unique User Passwords
    • No shared passwords are permitted for accessing the network, software, or other systems. Users can change their passwords without disclosing them to others.
  3. Regular Password Refresh
    • Passwords must be updated at least every 90 days, with accelerated updates as warranted.
  4. Password Management Tools
    • If password utilities like LastPass are used, the DSC ensures:
      • Secure, encrypted storage of credentials.
      • 2FA for new device authentication.

Electronic Exchange of PII Policy

  1. Secure Data Transmission
    • PII must not be shared via email in unprotected formats. Encryption or password protection is mandatory. Passwords should be shared through separate channels, such as SMS or phone calls.
  2. Password-Protected Portals
    • Secure portals may be used for PII exchange with DSC approval.
  3. Device Encryption
    • Tools like MS BitLocker must encrypt files on external drives, including USB devices.

Wi-Fi Access Policy

  1. Secure Wireless Networks
    • Firm Wi-Fi must use strong encryption and require a password. Guest Wi-Fi must operate on a separate network.
  2. Securing Smart Devices
    • Default passwords for devices like printers, smart TVs, and other IoT equipment must be changed. Devices without this capability must be disabled or replaced.

Remote Access Policy

  • Remote access tools must encrypt both traffic and authentication credentials.
  • Remote access is prohibited during unmonitored hours, such as nights and weekends.
  • 2FA is mandatory for all remote access sessions.
  • The DSC and IT contractor must approve all remote access tools.

Connected Devices Policy

  1. Device Security Reviews
    • Any new devices connecting to the network must undergo a security review, ensuring compliance with login and security patch standards.
  2. AutoRun Features
    • Disable AutoRun for USB and optical drives to prevent unauthorized installations.
  3. Data Disposal
    • Hard drives and memory devices must be erased or destroyed when decommissioned to ensure no residual data remains.
  4. Anti-Virus Protection
    • Approved, licensed anti-virus software must be updated continuously. Weekly tests will confirm the system’s protection is current.

Information Security Training Policy

  • Employees will receive annual training on the firm’s security protocols for PII, covering both paper and electronic records.
  • New employees must complete training before accessing PII.
  • Refresher courses and reviews will ensure all employees adhere to security standards.
  • Non-compliance with these policies may result in disciplinary action.

These policies collectively mitigate risks from external threats, ensuring the security and integrity of the firm’s PII while meeting regulatory standards.

 

External Risk Mitigation

Ongoing

Done

N/A

Firm

Data Security Coordinator

Date

Network Protection Policy

1. Firewall and Software Security
    • Firewalls, operating system security patches, and all relevant software must be up to date on any device accessing the firm’s network, including third-party devices.
    • Anti-virus, anti-malware, and internet security software must be current and installed on all systems storing or processing PII.

2. Secure User Authentication
    • Implement secure protocols for user authentication, including:
      • Username ID and password management.
      • Two-Factor Authentication (2FA) for enhanced security.
      • Strong password requirements, such as a mix of upper and lower-case letters, numbers, and special characters, with a minimum length of 8 characters.
      • Mandatory password changes every 90 days or sooner if necessary.
      • Exclusive use of firm-related passwords, separate from personal credentials.

3. Monitoring and Logging
    • Continuous monitoring for unauthorized access to PII.
    • Event logging enabled on all systems containing PII, with logs reviewed randomly within 90-day intervals by the Data Security Coordinator (DSC) or IT partner.
  1. Firewall Management
    • Maintain a secured firewall between the internet and the internal network, updated per vendor recommendations. Software-based firewalls must also be enabled on workstations.

 
  1. Operating System Updates
    • Continuously review and install OS patches and security updates. A thorough security review will be conducted every 30 days by the DSC.

User Access Control Policy

Ongoing

Done

N/A

Firm

Data Security Coordinator

Date
  1. Two-Factor Authentication (2FA)
    • All remote logins require 2FA, using tools like Google Authenticator or Duo.
  1. Unique User Passwords
    • No shared passwords are permitted for accessing the network, software, or other systems. Users can change their passwords without disclosing them to others.
  1. Regular Password Refresh
    • Passwords must be updated at least every 90 days, with accelerated updates as warranted.
  1. Password Management Tools
    • If password utilities like LastPass are used, the DSC ensures:
      • Secure, encrypted storage of credentials.
      • 2FA for new device authentication.

Electronic Exchange of PII Policy

Ongoing

Done

N/A

Firm

Data Security Coordinator

Date
  1. Secure Data Transmission
    • PII must not be shared via email in unprotected formats. Encryption or password protection is mandatory. Passwords should be shared through separate channels, such as SMS or phone calls.
  1. Password-Protected Portals
    • Secure portals may be used for PII exchange with DSC approval.
  1. Device Encryption
    • Tools like MS BitLocker must encrypt files on external drives, including USB devices.

Wi-Fi Access Policy

Ongoing

Done

N/A

Firm

Data Security Coordinator

Date
  1. Secure Wireless Networks
    • Firm Wi-Fi must use strong encryption and require a password. Guest Wi-Fi must operate on a separate network.
  1. Securing Smart Devices
    • Default passwords for devices like printers, smart TVs, and other IoT equipment must be changed. Devices without this capability must be disabled or replaced.

Remote Access Policy

Ongoing

Done

N/A

Firm

Data Security Coordinator

Date
  • Remote access tools must encrypt both traffic and authentication credentials.
  • Remote access is prohibited during unmonitored hours, such as nights and weekends.
  • 2FA is mandatory for all remote access sessions.
  • The DSC and IT contractor must approve all remote access tools.

Connected Devices Policy

Ongoing

Done

N/A

Firm

Data Security Coordinator

Date
  1. Device Security Reviews
    • Any new devices connecting to the network must undergo a security review, ensuring compliance with login and security patch standards.
  1. AutoRun Features
    • Disable AutoRun for USB and optical drives to prevent unauthorized installations.
  1. Data Disposal
    • Hard drives and memory devices must be erased or destroyed when decommissioned to ensure no residual data remains.
  1. Anti-Virus Protection
    • Approved, licensed anti-virus software must be updated continuously. Weekly tests will confirm the system’s protection is current.

Information Security Training Policy

Ongoing

Done

N/A

Firm

Data Security Coordinator

Date
  • Employees will receive annual training on the firm’s security protocols for PII, covering both paper and electronic records.
  • New employees must complete training before accessing PII.
  • Refresher courses and reviews will ensure all employees adhere to security standards.
  • Non-compliance with these policies may result in disciplinary action.

External Risk Mitigation

Ongoing

Done

N/A

Firm

Data Security Coordinator

Date
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

These policies collectively mitigate risks from external threats, ensuring the security and integrity of the firm’s PII while meeting regulatory standards.


Customize your WISP Template with 50 Agreements, Checklists & Documents Fillable only $29 - Login now!

Contact Us for Written Data Security Plan payment processing

Navigation

Services

Our office

Today Payments Merchant Services
2305 Historic Decatur Road, Suite 100
San Diego, CA 92106
Copyright © Today Payments, Inc. All Rights Reserved.
Written Data Security Plan is a website owned by Today Payments, Inc.
Today Payments, Inc., is an Elavon Payments Partner & Registered Partner/ISO of Elavon, Inc. Georgia, [a wholly owned subsidiary of U.S. Bancorp, Minneapolis, MN]