Utah Admin. Code R590-216-6 - Methods of Development and Implementation

(1) For purposes of risk assessment, a licensee may:
(a) identify reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems;
(b) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and
(c) assess the sufficiency of policies, procedures, customer information systems, and other safeguards in place to control risks.
(2) For purposes of risk management and control, a licensee may:
(a) design its information security program to control the identified risks, consistent with the sensitivity of the information, as well as the complexity and scope of the licensee's activities;
(b) train staff to implement the licensee's information security program; and
(c) regularly test or otherwise monitor the key controls, systems, and procedures of the information security program, the frequency and nature of which shall be determined by the licensee's risk assessment.
(3) For purposes of service provider arrangement oversight, a licensee may:
(a) exercise due diligence in selecting its service providers; and
(b) require its service providers to implement appropriate measures designed to meet the objectives of this rule, and, where indicated by the licensee's risk assessment, take appropriate steps to confirm that its service providers have satisfied these obligations.
(4) For purposes of program adjustment, a licensee may monitor, evaluate, and adjust the information security program considering:
(a) any relevant change in technology;
(b) the sensitivity of its customer information;
(c) any internal or external threat to information; and
(d) the licensee's changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems.
(5) Subsections (1) through (4) are examples of implementation methods. A licensee may adopt other actions or procedures to implement Sections R590-216-4 and R590-216-5.

Notes

Utah Admin. Code R590-216-6
Amended by Utah State Bulletin Number 2023-12, effective 6/9/2023

State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.

No prior version found.