2016 Data Protection Minimum Checklist: What to Ask Your Vendor if We Were You

Last week I wrote about the Absolute Basics of Protecting Data for 2016. If protecting data isn’t your area of expertise, luckily it’s ours. Here’s a checklist of the minimum things you should ask your vendors in 2016 about how they are protecting your data and the answers you should be getting back.

  1. What encryption technologies and key sizes do you use to protect my data?  Who has access to the encryption keys? Answer: Encryption technologies become outdated over time, however the current minimum technologies and key sizes your vendor should be using are AES 128, 256. The only people who should have access to the encryption keys are full time employees at your vendor, or better only management.
  2. Is my data protected at rest? How is it protected? Answer: The answer had better be yes, using encryption.
  3. Is my data protected in transit? How is it protected? Answer: The answer had better be yes, using encryption.
  4. Is your solution compliant with <insert your regulation, standard or state data protection laws> and if so how? Answer: This one is going to depend on the regulatory context, but in general you should ask for proof of technical processes and controls in the form of some documentation. Most regulations, standards and state laws require at minimum that entities document their controls. If your vendor can’t provide you this, then it’s unlikely they are compliant.

There’s always more vendors can do to protect your data. The above is the absolute minimum they should be doing, so make sure they are at least doing that. Thanks, and hope you found this helpful,