W. Va. Code R. § 114-62-5

Current through Register Vol. XLI, No. 50, December 13, 2024
Section 114-62-5 - Methods of Development and Implementation
5.1. The actions and procedures set forth in this section are nonexclusive examples of methods a licensee may use to implement the requirements of sections three and four of this rule.
5.2. The licensee assesses risk by:
a. Identifying reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems;
b. Assessing the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and
c. Assessing the sufficiency of policies, procedures, customer information systems and other safeguards in place to control risks.
5.3. The licensee manages and controls risk by:
a. Designing its information security program to control the identified risks, commensurate with the sensitivity of the information and the complexity and scope of the licensee's activities;
b. Training staff, as appropriate, to implement the licensee's information security program; and
c. Regularly testing or otherwise regularly monitoring the key controls, systems and procedures of the information security program. The frequency and nature of these tests or other monitoring practices shall be determined by the licensee's risk assessment.
5.4. The licensee oversees service provider arrangements by:
a. Exercising appropriate due diligence in selecting its service providers; and
b. Requiring its service providers to implement appropriate measures designed to meet the objectives of this rule, and, where indicated by the licensee's risk assessment, taking appropriate steps to confirm that its service providers have satisfied these obligations.
5.5. The licensee monitors, evaluates and adjusts, as appropriate, its information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems.

W. Va. Code R. § 114-62-5