> Offshore  > Data Control Practices





InsuranceIsland has the largest number of public records for your insurance underwriting and Risk Management

Yes, you have a Choice with InsuranceIsland




Data control practices of vendor

  1. Procedures and Controls for handling Customer Specific data

  2. Data Security arrangements and controls

  3. Access controls (authentication, emergency access, etc)

  4. Network security

  5. Records management arrangements and controls

  6. Procedures to control and destroy hardcopy materials

  7. Security awareness and training programs

  8. Process to handle data security breaches


a. Procedures and controls for handling customer specific data

  1. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and systems to prevent employees from providing customer information to unauthorized individuals who seek it through fraudulent means;

  2. Access restrictions at physical locations containing customer information;

  3. Encryption of electronic customer information, including when in transit or in storage on systems where unauthorized individuals may have access;

  4. Procedures to ensure that customer information system modifications are consistent with an organization's information security program;

  5. Dual control procedures, segregation of duties and employee background checks for employees with access to customer information;

  6. Monitoring of systems and procedures to detect actual and attempted attacks on or intrusion into customer information systems;

  7. Response programs for when an organization suspects or detects that unauthorized individuals have gained access to customer information systems;

  8. Measures to protect customer information from destruction, loss or damage by environmental hazards or technological failure;

  9. Training for staff to implement the security program; and

  10. Regular testing of the key controls, systems and procedures of the security program.


b. Data Security arrangements and controls


This depends on classification that is put in polices according to sensitivity to loss or disclosure. We generally break down the sensitivity into 4 major classification and controls are depended on that.

  1. Sensitivity

  2. Confidential

  3. Private

  4. Public


c. Access controls (authentication, emergency access, etc)

We use below technique to provide Access control, this helps system to allow or deny access, direct influence or help secure the content.

  1. Mandatory Access Control

  2. Discretionary Access Control

  3. Lattice Based Access control

  4. Rules Based Access control

  5. Role Based Access control

  6. Access control list

  7. Constrained user Interface

  8. Capability Tables

  9. Content Dependent Access control


d. Network security

We follow ISO 270001 or FISMA/NIST or Gramm-Leach-Bliley Act (GLBA)based policies that is depend on the statement of applicability of the organization that requires access of the information over public and private network . The following main areas are covered in detail.

  1. Transmission Method

  2. Structures

  3. Transport Formats

  4. Availability

  5. Authentication

  6. Confidentially


e. Records management arrangements and controls

For this we follow ISO 9000:2001 policies and procedure (4.2 Document Control) depending on organization requirement.

  1. Specify Retention Requirements

  2. Ensures Proper Document Storage

  3. Provide for Easy Retrieval

  4. Retain Records as Specified

  5. Purge Outdated Records


f. Procedures to control and destroy hardcopy materials

Same as Question e. We follow ISO 9000s 4.2 document control procedure


g. Security awareness and training programs, if any

Since we have few ISO 27001 ISMS Auditors as staff we diligently train the staff frequently on Security awareness. Some of the training area covered are:


  1. Check references prior to hiring employees

  2. Employees sign confidentiality agreement

  3. Train employees to take basic steps (passwords, pretext calling, etc.)

  4. Regular reminders of policy and legal requirement to keep cdi confidential

  5. Limit access to those employees with a business reason for seeing it


h. Process to handle data security breaches


We follow simple three procedures: Preparation, Detection and Resolution 



  • Ensure that your incident response plan adequately addresses a data compromise scenario.

  • Confirm ownership of all areas of responsibility in the plan.

  • Maintain accurate, secure and up-to-date records of key customer, card and encryption data.

  • Educate consumers about reporting suspected fraud incidents to you promptly.

  • Develop an internal escalation policy for call center and customer support staff.

  • Establish criteria for reissuance.

  • Understand disclosure requirements for all states in which you do business.

  • Develop a communication plan for both internal and external audiences.

  • Develop relationships with law enforcement.

  • Evaluate consumer credit monitoring services, because offering these services to affected

  • customers is an increasingly common part of a recovery plan.



  • Determine that a security compromise has occurred.

  • Identify the point of fraud and point of compromise.

  • Quantify the number of compromised area and the potential loss.



  • Contain the loss.

  • Coordinate reissue tasks with card production and fulfillment vendors.

  • Report incident to appropriate external parties, including law enforcement.

  • Communicate the incident in a timely manner both internally and externally.

  • Evaluate how well your incident response plan performed and incorporate lessons learned into a new one.


2M Associates Copyright 2000 - 2008.   All Rights Reserved.