Most companies understand the importance of performing a security assessment on their data and operational systems. In many industries, specific standards require a security assessment on a regular basis to maintain compliance. Often these standards require the company perform a security assessment on any supplier that may receive company data. Specific control areas in a security assessment may include:
- Information Security Management
- Physical Security
- Network Security Management
- Platform Security
- Remote and Mobile Access
- Change Control
- Identity and Access Management
- Application Security
A security assessment will often include a request to receive a copy of the company’s Business Continuity Plan (BCP). A company’s BCP should cover several elements related to security issues surrounding a company’s data and operational systems. In the event of an unplanned disruption or other emergency situation, the BCP will indicate how the company’s operations will recover and proceed.
Different Types of Regulations and Requirements
The Sarbanes-Oxley Act came into effect in 2002. Sarbanes-Oxley is a United States federal law. This law set new or expanded requirements for all U.S. public company boards, management, and public accounting firms. As a result, the law requires that a company’s top management must individually certify the accuracy of financial information. Much of a company’s financial information is heavily dependent on technology and associated data security controls that must be part of a compliance review as noted in Section 404 of the Act. The law provides for harsher penalties for fraudulent financial activity. Also, Sarbanes-Oxley requires a stronger oversight role for boards of directors, and greater independence of outside financial statement auditors.
International Organization for Standardization
The International Organization for Standardization (ISO) creates and publishes International Standards that provide guidance and clear specifications to ensure a company’s products, materials, processes, and services are appropriate for their purposes. ISO publications include standards for Quality Management, Environmental Sustainability and Protection, and Management Performance.
General Data Protection Regulation
The European Union’s General Data Protection Regulation governs the processing of an EU resident’s personal data by an individual, a company, or an organization of personal data. This pertains to entities that do business within the region, or that provide services to individuals in the region. The rule provides people with more control over their personal data. For example, websites that collect data on visitors must let visitors know this. These websites must give visitors the option to opt out of such collection. Many additional laws have been passed in response to this new regulation, to provide local guidance on compliance. For example, in the United Kingdom, the Data Protection Act 2018 is a national law that complements the European Union’s General Data Protection Regulation.
TRUSTe Privacy Certification Standards
TRUSTe Privacy Certification Standards assist companies in establishing and maintaining strong privacy management practices. Compliance with TRUSTe demonstrates a company’s commitment to privacy protection in their online properties, customer and employee data management practices, and/or applicable regulatory frameworks.
For these and many other national, international, and industry regulations or requirements, a security assessment is necessary to ensure compliance. Companies that work with a Relocation Management Company (RMC) need to perform a security assessment of the RMC’s data and operational systems. Global Mobility Solutions’ team of global relocation experts believe the following 5 tips are essential to ensure an RMC’s compliance to a company’s security assessment.
5 Helpful Tips for Performing a Security Assessment on your RMC
1. Be Sure to Review the RMC’s Risk Rating and Access to Data During the Security Assessment
Your RMC should have a risk rating. The rating depends upon the likelihood of an event occurring. It also depends on the impact severity that might arise if the event does occur. You should determine whether the RMC has limited or full access to data. Important data fields to review for risk during a security assessment include:
- Employee Name and Home Address
- Employee Phone Numbers and Email Address
- Family Member Contact Information
- Social Security Numbers
- Bank Name and Account Numbers
- Logistic Information Related to Relocations
- Travel Information Including Dates and Locations
2. Questionnaire Submission to RMC
Your company should have a document with several questions that will indicate the RMC’s compliance to important points in a security assessment. Provide sufficient time for the RMC to complete the questionnaire. The RMC will need to work with their Information Technology department to provide answers to many of these questions. Provide a contact from your company that can answer any questions the RMC may have related to the document’s specific points.
3. Share Results of the Initial Security Assessment
Once the initial security assessment is complete, share the results with your RMC. Offer to work with the RMC to remediate any areas that require attention to ensure compliance. Partnering with the RMC helps ensure the solution fully addresses your company’s requirements. Note the specific regulatory requirements that your company must meet to help the RMC understand how they might reach compliance.
4. Share Results of the Final Security Assessment
Be sure to indicate all control gaps. Note all categories that require submission of a formal remediation plan. Include specific dates and timelines critical for maintaining your company’s compliance to specific regulations. Provide guidance to the RMC on how to create and submit a remediation plan that will meet your company’s requirements.
5. Set Periodic Reviews for the Security Assessment
Working with the RMC, set a timeline for periodic reviews. Depending on your company’s specific regulatory compliance requirements, a security assessment may need to occur by date or by change in activity level. For example, if your company requests the RMC perform an additional service that requires sharing additional employee data, a review should be set to confirm the most recent security assessment is still valid.
Global Mobility Solutions’ team of global relocation experts has helped thousands of our clients understand how to conduct an effective security assessment on an RMC. We can help your company create and implement a security assessment to ensure compliance to all of your organization’s regulatory requirements.
GMS was the first relocation company to register as a “.com.” The company also created the first online interactive tools and calculators, and revolutionized the entire relocation industry. GMS continues to set the industry pace as the pioneer in innovation and technology solutions with its proprietary MyRelocation® technology platform.
Global Mobility Solutions is proud to be named and ranked #1 Overall, and #1 in Quality of Service by HRO Today’s 2019 Baker’s Dozen Customer Satisfaction Survey.
New SafeRelo™ COVID-19 Knowledge Portal
GMS recently launched its new SafeRelo™ COVID-19 Knowledge Portal featuring a number of helpful resources including:
- Curated selection of news and articles specific to managing relocation programs and issues relating to COVID-19
- Comprehensive guide to national, international, and local online sources for current data
- Program/Policy Evaluation (PPE) Tool for instant relocation policy reviews
Learn best practices from Global Mobility Solutions, the relocation industry and technology experts who are dedicated to keeping you informed and connected. Contact our experts online or give us a call at 800.617.1904 or 480.922.0700 today.