An assessment or audit is an evaluation of the company’s ability to maintain and communicate privacy and security policies and procedures that are compliant with applicable legal and contractual requirements. It evaluates the level of the company’s compliance with applicable laws. It also measures the employees’ awareness of privacy and security issues, and their understanding of the applicable laws, regulations, guidelines, standards, and jurisprudence.
The first step is to conduct an asset assessment where we identify the systems and data that need to be protected, and determine the data flows. Then we perform a risk assessment where we assess the legal and other obligations placed on the company, and the risks faced by the company with respect to these assets.
During a privacy / security assessment, we review the existing data privacy and security policies and practices of the company in order to evaluate its compliance with applicable laws, such as the laws that protect financial information (GLBA and related regulations), health information (HIPAA, HITECH Act, and related regulations), or children information (COPPA), or those that regulate unsolicited electronic communications.
We look at the different phases of the handling of personal data, from the collection of personal data, to their use, such as in connection with advertising and e-marketing to ensure compliance with applicable anti-spam laws, or in connection with the disposal of records, in order to determine whether the company complies with the applicable and state document disposal laws.
We review and evaluate the company's internal procedures and policies with respect to the creation, maintenance, use, and transfer of personal information databases for risk assessment and compliance purposes.
At the end of the engagement, we provide the client with an assessment report that describes our findings, the deficiencies, and the suggested course of action to address these deficiencies.