Statutes, codes, and regulations
Colorado Administrative Code
Department 700 - Department of Regulatory AgenciesDivision 702 - Division of InsuranceRule 3 CCR 702-6 - CONSUMER PROTECTION (GENERAL)
Regulation Regulation 6-4-2 - STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION
Section 3 CCR 702-6-4-2-7 - Examples of Methods of Development and Implementation

3 Colo. Code Regs. § 702-6-4-2-7

Download
PDF
Current through Register Vol. 47, No. 7, April 10, 2024
Section 3 CCR 702-6-4-2-7 - Examples of Methods of Development and Implementation

The actions and procedures described in this section are examples of methods of implementation of the requirements of Sections 5 and 6 of this regulation. These examples are non-exclusive illustrations of actions and procedures that licensees may follow to implement Sections 5 and 6 of this regulation.

A. Assess Risk. The licensee:
1. Identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems;
2. Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and
3. Assesses the sufficiency of policies, procedures, customer information systems and other safeguards in place to control risks.
B. Manage and Control Risk. The licensee:
1. Designs its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the licensee's activities;
2. Trains staff, as appropriate, to implement the licensee's information security program; and
3. Regularly tests or otherwise regularly monitors the key controls, systems and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee's risk assessment.
C. Oversee Service Provider Arrangements. The licensee:
1. Exercises appropriate due diligence in selecting its service providers; and
2. Requires its service providers to implement appropriate measures designed to meet the objectives of this regulation and, where indicated by the licensee's risk assessment, takes appropriate steps to confirm that its service providers have satisfied these obligations.
D. Adjust the Program

The licensee monitors, evaluates and adjusts, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to customer information systems.

3 CCR 702-6-4-2-7

38 CR 18, September 25, 2015, effective 10/15/2015
39 CR 01, January 10, 2016, effective 2/1/2016
40 CR 24, December 25, 2017, effective 1/14/2018
41 CR 08, April 25, 2018, effective 6/1/2018