The following actions and procedures are examples of methods
of implementation of the requirements of Rules
69O-128.032 and
69O-128.033, F.A.C. These
examples are non-exclusive illustrations of actions and procedures that
licensees may follow to implement Rules
69O-128.032 and
69O-128.033, F.A.C.
(1) Assess Risk. The licensee:
(a) Identifies reasonably foreseeable
internal or external threats that could result in unauthorized disclosure,
misuse, alteration, transmission, or destruction of customer information or
customer information systems;
(b)
Assesses the likelihood and potential damage of these threats, taking into
consideration the sensitivity of customer information; and,
(c) Assesses the sufficiency of policies,
procedures, customer information systems, and other safeguards in place to
control risks.
(2) Manage
and Control Risk. The licensee:
(a) Designs
its information security program to control the identified risks, commensurate
with the sensitivity of the information as well as the complexity and scope of
the licensee's activities;
(b)
Trains staff as appropriate to implement the licensee's information security
program; and,
(c) Regularly tests
or otherwise regularly monitors the key controls, systems, and procedures of
the information security program. The frequency and nature of these tests or
other monitoring practices are determined by the licensee's risk
assessment.
(3) Oversee
Service Provider Arrangements. The licensee:
(a) Exercises appropriate due diligence in
selecting its service providers; and,
(b) Requires its service providers to
implement appropriate measures designed to meet the objectives of this rule;
and, where indicated by the licensee's risk assessment, takes appropriate steps
to confirm that its service providers have satisfied these
obligations.
(4) Adjust
the Program. The licensee monitors, evaluates, and adjusts as appropriate the
information security program in light of any relevant changes in:
(a) Technology;
(b) The sensitivity of its customer
information;
(c) The volume of its
customer information;
(d) Internal
or external threats to information; and,
(e) The licensee's own changing business
arrangements, such as:
1. Mergers and
acquisitions;
2. Alliances and
joint ventures;
3. Outsourcing
arrangements; and,
4. Changes to
customer information systems.
