Current through 2022-48, November 30, 2022
Section 031-980-6 - Examples of Methods of Development and Implementation
The actions and procedures described below are examples of methods of implementation of the requirements of Sections 4 and 5 of this Rule. These examples are non-exclusive illustrations of actions and procedures that regulated insurance entities may follow to implement Sections 4 and 5 of this Rule.A. Assessing Risk.The regulated insurance entity: (1) Identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems;(2) Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and(3) Assesses the sufficiency of policies, procedures, customer information systems, and other safeguards in place to control risks.B. Managing and Controlling Risk.The regulated insurance entity: (1) Designs its information security program to control the identified risks, commensurate with the sensitivity of the information and the complexity and scope of the regulated insurance entity's activities;(2) Trains staff, as appropriate, to implement the regulated insurance entity's information security program; and(3) Regularly tests or otherwise regularly monitors the key controls, systems and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the regulated insurance entity's risk assessment.C. Overseeing Service Provider Arrangements.The regulated insurance entity: (1) Exercises appropriate due diligence in selecting its service providers; and(2) Requires its service providers to implement appropriate measures designed to meet the objectives of this Rule, and, where indicated by the regulated insurance entity's risk assessment, takes appropriate steps to confirm that its service providers have satisfied these obligations.D. Adjusting the Program.The regulated insurance entity monitors, evaluates, and adjusts, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the regulated insurance entity's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems.
02-031 C.M.R. ch. 980, § 6