PUBLIC TRANSIT DATA SECURITY & PRIVACY AUDIT CHECKLIST Created by ChecklistGuro (https://checklistguro.com) --- DATA INVENTORY & CLASSIFICATION --- [ ] Description of Data Collected (e.g., Fare Payment, Passenger Count, Vehicle Location) [ ] Data Sensitivity Level (PII, Operational, Financial, Public) (Personally Identifiable Information (PII), Operational, Financial, Public) [ ] Estimated Number of Records [ ] Data Storage Location (e.g., On-Premise, Cloud) (On-Premise, Cloud) [ ] Date of Last Data Inventory Review [ ] System/Application Associated with Data --- ACCESS CONTROLS & PERMISSIONS --- [ ] Authentication Method Used (e.g., MFA, Password) (Password Only, Multi-Factor Authentication (MFA), Biometric Authentication, Certificate-Based Authentication) [ ] Least Privilege Principle Applied? (Yes, No, Partially Implemented) [ ] Number of Users with Admin Access [ ] Date of Last Access Control Review [ ] Description of User Access Request Process [ ] Roles with access to PII Data? (Operations, Finance, Marketing, IT, HR) [ ] Is there role based access control? (Yes, No) --- DATA ENCRYPTION & STORAGE --- [ ] Encryption Method at Rest (AES-256, Triple DES, RSA, Other (Specify in Long Text)) [ ] If 'Other' encryption method selected, please specify: [ ] Encryption Method in Transit (TLS 1.2 or higher, SSL 3.0, Other (Specify in Long Text)) [ ] If 'Other' encryption method selected, please specify: [ ] Key Rotation Frequency (in days) [ ] Key Storage Location (Hardware Security Module (HSM), Software-based Key Management, Cloud-based Key Management Service) [ ] Proof of Encryption Configuration (e.g., screenshot of configuration) [ ] Data Masking Techniques Used (Select all that apply) (Redaction, Tokenization, Pseudonymization, None) --- THIRD-PARTY VENDOR MANAGEMENT --- [ ] Vendor Data Security Assessment Completed? (Yes, No, N/A) [ ] Summary of Vendor's Data Security Practices (as documented) [ ] Vendor's Data Security Questionnaire Response [ ] Contract Includes Data Security Requirements? (Yes, No, N/A) [ ] Vendor's Security Certification Level (e.g., SOC 2, ISO 27001 - Numerical Rating) [ ] Date of Last Vendor Security Audit [ ] Description of Data Processing Agreement (DPA) - Purpose, Scope, Responsibilities --- INCIDENT RESPONSE PLAN & PROCEDURES --- [ ] Severity Level Assigned (1-5, 5 being critical) [ ] Detailed Description of the Incident [ ] Date of Incident [ ] Time of Incident [ ] Initial Containment Actions Taken [ ] Systems Affected (Select all that apply) (Passenger Ticketing System, Fleet Management System, Customer Database, Financial Systems, Security Camera Network, Website/Mobile App, Other (Specify in LONG_TEXT)) [ ] Communication Plan Activation (Who was notified and when) [ ] Incident Status (New, In Progress, Containment Complete, Eradication Complete, Recovery Complete, Closed) --- DATA RETENTION & DISPOSAL --- [ ] Data Retention Period (Years) [ ] Data Disposal Method (Secure Deletion, Data Sanitization (Degaussing/Overwriting), Physical Destruction (e.g., Shredding, Incineration)) [ ] Last Data Disposal Review Date [ ] Justification for Data Retention Period [ ] Data Disposal Certification (e.g., from vendor) [ ] Compliance with Legal Hold Requirements (Yes, No, N/A) --- PRIVACY POLICY & TRANSPARENCY --- [ ] Summary of Data Collection Practices [ ] Is the Privacy Policy readily accessible on the website? (Yes, No) [ ] Is the Privacy Policy available in multiple languages (if applicable)? (Yes, No, N/A) [ ] Description of User Rights (e.g., access, correction, deletion) [ ] Is a contact person/department listed for privacy inquiries? (Yes, No) [ ] Contact Email/Phone for Privacy Inquiries [ ] Explanation of Data Sharing Practices (with whom and why) --- COMPLIANCE WITH REGULATIONS --- [ ] Applicable Regulations (Select All) (GDPR, CCPA, State Data Breach Notification Laws, Federal Privacy Act, Other (Specify in LONG_TEXT)) [ ] If 'Other' selected above, please specify regulations. [ ] Last Review Date of Regulatory Compliance [ ] Version Number of Compliance Documentation [ ] Data Breach Notification Threshold (as per applicable regulations) (As defined by GDPR, As defined by CCPA, State Specific Threshold, Custom Threshold (Specify in LONG_TEXT)) [ ] If 'Custom Threshold' selected above, please specify threshold and justification. --- SECURITY AWARENESS TRAINING --- [ ] Which of the following are examples of phishing attempts? (An email requesting your password, A phone call offering a reward for information, A suspicious link in an instant message, All of the above) [ ] Describe a scenario where you might suspect a data breach. What would you do? [ ] How often should you change your password? [ ] What is the most secure method for transmitting sensitive data? (Email, Instant Messaging, Secure File Transfer Protocol (SFTP), Public Wi-Fi) [ ] Date of last security awareness training completion. --- AUDITING & MONITORING --- [ ] Number of Security Alerts Reviewed in Last Period [ ] Date of Last Security Audit [ ] Audit Logging Enabled (Yes/No) (Yes, No) [ ] Summary of Findings from Latest Audit Review [ ] SIEM Integration Status (Implemented/Planned/Not Applicable) (Implemented, Planned, Not Applicable) [ ] Frequency of Log Rotation (in Days) --- END OF TEMPLATE --- Transform this text into a digital, automated, and trackable mobile app! Visit: https://checklistguro.com/templates/public-transport-management/public-transit-data-security-privacy-audit-checklist (Click "Install Template" to launch your digital inspection tool immediately)