A licensee shall conduct a risk assessment, which must: (1) Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of nonpublic information, including the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers. (2) Assess the likelihood and potential damage of threats, taking into consideration the sensitivity of the nonpublic information. (3) Assess the sufficiency of policies, procedures, information systems and other safeguards in place to manage threats in each relevant area of the licensee's operations, including: (i) Employee training and management. (ii) Information systems, including network and software design and information classification, governance, processing, storage, transmission and disposal. (iii) Detection, prevention and response to attacks, intrusions or other system failures. (4) Implement information safeguards to manage the threats identified in its ongoing assessment. (5) At least annually, assess the effectiveness of the safeguards' key controls, systems and procedures.
‹ Prev All Pennsylvania sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.