Sec.38a-8-126. Developing and implementing an information security program

The actions and procedures described in this section are examples of methods of implementation of the requirements of section 38a-8-125 of the Regulations of Connecticut State Agencies. These examples are non-exclusive illustrations of actions and procedures that licensees may follow to implement section 38a-8-125 of the Regulations of Connecticut State Agencies.

(1) The licensee identifies reasonably foreseeable internal or external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems. The licensee assesses the likelihood and potential damage of the risks presented by the threats it has identified, taking into consideration the sensitivity of customer information. The licensee assesses the sufficiency of the policies and procedures it has in place to control the risks it has identified.

(2) The licensee designs its information security program to control the identified risks, commensurate with the sensitivity of the information and the complexity and scope of the licensee's activities. The licensee trains staff, as appropriate, to implement the licensee's information security program and regularly tests or otherwise regularly monitors the key controls, systems and procedures of its information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee's risk assessment.

(3) The licensee exercises due diligence in selecting service providers, and requires its service providers to implement measures designed to meet the objectives of section 38a-8-125 of the Regulations of Connecticut State Agencies and takes appropriate steps to confirm that its service providers have done so.

(4) The licensee monitors, evaluates and adjusts, as appropriate, its information security program to reflect any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to its customer information systems.