Current through Register Vol. 30, No. 49, December 6, 2024
Section R20-6-2104 - Guidelines for Methods of Development and ImplementationA licensee may implement the requirements of R20-6-2102 and R20-6-2103 by the actions and procedures prescribed in this Section, which are non-exclusive illustrations:
1. A licensee may assess risk by:a. Identifying reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems;b. Assessing the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; andc. Assessing the sufficiency of policies, procedures, customer information systems, and other safeguards in place to control risks.2. A licensee may manage and control risk by: a. Designing its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the licensee's activities;b. Training staff to implement the licensee's information security program; andc. Regularly testing or otherwise regularly monitoring the key controls, systems and procedures of the information security program. The licensee shall determine the frequency and nature of these tests or other monitoring practices by the licensee's risk assessment.3. A licensee may oversee service provider arrangements by:a. Exercising appropriate due diligence in selecting its service providers; andb. Requiring its service providers to implement measures designed to meet the objectives of this Article, and, where indicated by the licensee's risk assessment, taking appropriate steps to confirm that its service providers have satisfied these obligations.4. A licensee may monitor, evaluate, and adjust, as appropriate, its information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems.Ariz. Admin. Code § R20-6-2104
New Section made by final rulemaking at 10 A.A.R. 2260, effective July 13, 2004 (Supp. 04-2).