Step 7. Preparedness for Information Security Incidents.

Developing a proper data breach response plan should be an integral part of your information security policy. Once an information security incident is discovered and confirmed, an investigation to determine the scope and impact of the breach must be conducted and documented. The recovery plan and damage control measures should be implemented. In some data breach cases, affected data subjects and government agencies must be notified. Early preparation to adequately document post-incident efforts in compliance with government regulations is recommended. 

Step 8. Address Vulnerabilities Without Delay.

Government regulators do not expect recommendations for information security measures and testing for known vulnerabilities to apply to all businesses uniformly. Businesses with more financial and human resources will be able to do more. Information security programs should be tailored to the size, scope, and type of business, the amount of data that is collected and stored, and the level of sensitivity of personally identifiable information (“PII”). Business enterprises with large repositories of sensitive information should be prepared to allocate more resources to protect their PII assets. One of the lessons learned from past Federal Trade Commission’s inadequate information security enforcement actions is that following data breaches, businesses must adjust their information security programs and address identified vulnerabilities without unreasonable delay. Failure to address such vulnerabilities promptly may attract unwanted attention from government regulators.

To read more see the Intro to 12 Steps blog:


“Step 9” coming soon…