INSURANCE DATA SECURITY COMPLIANCE CHECKLIST Created by ChecklistGuro (https://checklistguro.com) --- DATA GOVERNANCE & POLICIES --- [ ] Data Governance Framework Adopted? (COBIT, DAMA-DMBOK, Other (Specify)) [ ] Summary of Data Governance Policy [ ] Number of Data Stewards [ ] Last Policy Review Date [ ] Policy Access Method (Centralized Repository, Shared Drive, Intranet) [ ] Describe Data Classification Scheme --- ACCESS CONTROLS & AUTHENTICATION --- [ ] Multi-Factor Authentication (MFA) Enabled? (Yes, No, Partial (some systems)) [ ] Password Complexity Requirements? (Strong (min length, special chars, rotation), Moderate, Weak/None) [ ] Maximum Login Attempts Before Lockout [ ] Role-Based Access Controls (RBAC) Implemented? (Yes, No, Partial) [ ] Last Review of Access Control Lists (ACLs) [ ] Which user roles have access to sensitive data? (Underwriter, Claims Adjuster, Actuary, Customer Service, IT Support) --- DATA ENCRYPTION & STORAGE --- [ ] Encryption Method (Data at Rest) (AES-256, RSA, Triple DES, Other - Specify in Long Text) [ ] Encryption Method (Data in Transit) (TLS 1.3, TLS 1.2, SSL 3.0 (Not Recommended), Other - Specify in Long Text) [ ] Key Rotation Frequency (Days) [ ] Detailed Description of Encryption Key Management Process [ ] Storage Type (Sensitive Data) (Cloud Storage (Specify Provider), On-Premise Storage, Hybrid Storage) [ ] Storage Security Assessment Report (Optional) --- DATA LOSS PREVENTION (DLP) --- [ ] Number of DLP Rule Violations in Last 30 Days [ ] DLP Software Version in Use (Version 1.0, Version 2.0, Version 2.1, Latest Version) [ ] Data Types Protected by DLP Rules (Select all that apply) (Personally Identifiable Information (PII), Financial Data, Health Information (PHI), Proprietary Information) [ ] Summary of Recent DLP Incidents and Remediation Steps [ ] DLP Rule Monitoring Frequency (Real-time, Hourly, Daily) [ ] Upload Configuration File for DLP System --- INCIDENT RESPONSE & RECOVERY --- [ ] Date of Incident Detection [ ] Time of Incident Detection [ ] Detailed Description of the Incident [ ] Incident Severity Level (Low, Medium, High, Critical) [ ] Systems Affected (Claims System, Policy Administration System, Customer Database, Internal Network, External Website) [ ] Containment Actions Taken [ ] Estimated Number of Records Potentially Affected [ ] Date of Incident Containment [ ] Lessons Learned and Recommendations --- THIRD-PARTY RISK MANAGEMENT --- [ ] Vendor Security Assessment Completed? (Yes, No, In Progress) [ ] Vendor Risk Score (1-100) [ ] Last Security Assessment Date [ ] Vendor Security Assessment Report [ ] Contractual Security Requirements Defined? (Yes, No, N/A) [ ] Summary of Vendor's Security Practices [ ] Security Domains Covered in Assessment (Physical Security, Network Security, Data Encryption, Access Controls, Application Security) --- COMPLIANCE & REGULATORY REQUIREMENTS --- [ ] Applicable Regulations (Select all that apply) (GDPR, CCPA, HIPAA, State-Specific Privacy Laws (Specify in LONG_TEXT), NAIC Model Laws) [ ] Specific State Privacy Laws Applied (If selected above) [ ] Last Regulatory Compliance Training Date [ ] Frequency of Regulatory Compliance Reviews (per year) [ ] Recent Regulatory Audit Status (Pass, Conditional Pass, Fail) [ ] Uploaded Documentation (e.g., Audit Reports, Compliance Certificates) --- EMPLOYEE TRAINING & AWARENESS --- [ ] Last Data Security Training Completion Date (Within Last 3 Months, 3-6 Months Ago, 6-12 Months Ago, Over 12 Months Ago) [ ] Topics Covered in Data Security Training (Phishing Awareness, Password Security, Data Handling Procedures, Incident Reporting, Secure Remote Access) [ ] Employee Name [ ] Next Scheduled Data Security Refresher Date [ ] Summary of Data Security Best Practices (Employee Confirmation) --- VULNERABILITY MANAGEMENT & PATCHING --- [ ] Last Vulnerability Scan Frequency (Days) [ ] Vulnerability Scanning Tool Used (Nessus, Qualys, Rapid7, Other) [ ] Scanning Scope (Check all that apply) (Production Servers, Development Servers, Databases, Network Devices) [ ] Last Remediation Effort Completion Date [ ] Percentage of Critical Vulnerabilities Remediated within SLA [ ] Patch Deployment Methodology (Manual, Automated, Hybrid) --- DATA MINIMIZATION & RETENTION --- [ ] Maximum Data Retention Period (Years) [ ] Data Destruction Method (Secure Erasure, Physical Destruction (e.g., Shredding), Decommissioning with Data Wipe) [ ] Last Data Retention Policy Review Date [ ] Data Types Subject to Retention Limits (Customer PII, Claims Data, Policy Documents, Financial Records, Marketing Data) [ ] Justification for Data Retention Periods (if exceeding regulatory limits) --- END OF TEMPLATE --- Transform this text into a digital, automated, and trackable mobile app! Visit: https://checklistguro.com/templates/insurance/insurance-data-security-compliance-checklist (Click "Install Template" to launch your digital inspection tool immediately)