Apr 20, 201503:10 PMLegal Login
with Mindi Giftos
Keeping IT simple: How to start an effective IT risk management program
(page 1 of 2)
Information technology has transformed the way companies conduct business. In most companies, key business processes are driven by IT –– from accounting to sales, project management, human resources, and customer relationship management.
But what happens when the IT processes your business depends on fail? System failure, downtime, or loss of key data can halt your operations, affect profitability, and stall essential business practices long term. Taken a step further, your business may encounter legal exposure as a result of damage to your customers, vendors, business partners, or shareholders.
All companies, regardless of size, should take action to manage the legal risks arising from their increasing dependence on IT. The process need not be overwhelming; in fact, you can make significant progress by starting with one simple step –– implementing an IT compliance portal.
An IT compliance portal is a centralized location for the placement of key legal and technical documents that you will use to manage your IT legal risk. An IT compliance portal should include the following basic features:
- Key IT vendor agreements. Inventory your top-priority IT vendors, whether based on dollars spent or critical importance to your operations. Place the underlying contracts with these vendors in the portal. Review the list annually and update as appropriate with new contracts and amendments.
- Corporate IT policies. Every company should have written policies governing employee use of corporate technology. These policies include a company information systems policy, workstation security policy, mobile device policy, electronic monitoring policy, data security policy, and document retention/destruction policy. Given the rapid changes in technology, these policies should be updated periodically.
- Third-party IT assessment reports. Emerging laws across multiple industries (e.g., finance, banking, insurance, and health care) require that companies engage an independent third-party consultant to conduct security testing of the company’s IT environment. The requirement has become a common-sense practice for all types of businesses, regardless of industry. The consultant’s reports and follow-up remediation documents should be housed in the portal and revisited on an annual basis.
- Data security breach protocol. Almost every company now possesses sensitive, personally identifiable information, whether of employees or customers. State and federal laws increasingly require that companies maintain data security safeguards and report any data loss or breach involving personally identifiable information. The legal and regulatory exposure from data losses has grown exponentially in recent years and affects even the smallest of companies, which may find the financial losses of a data breach to be so significant as to result in insolvency of the company. A company should prepare in advance a legal protocol to follow in responding to a data breach to best ensure compliance with applicable laws and minimize resulting damages. The protocol should be placed in the portal to ensure easy access and a uniform approach if a data breach is suspected.
- Cyber risk/IT errors and omissions insurance. Every company should ensure that its insurance policies include coverage for cyber risk-related claims, such as loss of data or failure of IT systems. While this coverage was difficult to find five years ago, it is now readily available at a reasonable cost. Most insurers will offer this coverage through a cyber risk endorsement.
- Critical date manager. The portal should include functionality to allow for the tracking of important IT compliance dates on an annual basis. Important dates might include expiration of key software agreements (licenses), dates by which notice to renew key agreements must be delivered to a vendor, annual reminders for a third-party IT assessment, and annual reminders to review IT policies.