A Guide to a SCIDSA Compliant Information Security Program

As the roll out of the South Carolina Insurance Data Security Act (“SCIDSA”) begins to unfold, insurance companies’ are tweaking their existing information security program or building a new program from scratch to the endeavor of meeting the new security requirements. Information security programs are designed to be comprehensive in nature, using the concept of “defense in depth” by implementing three layers of safeguards to protect key data.

​For businesses, data exists in a few states known as the “three states of digital data”, one of which is “Data in Transit.” As the information moves from business to business, business to client, employee to employee and so on, a complexity to securing the data begins to arise. When these transfers of information are looked at from a business model perspective, hundreds to thousands of transactions occur on a daily basis to meet business needs. Added to this process is the burden of having detailed procedures in place to handle the data as it flows through the other two states, with access, collection, storage, processing, use, and disposal. Policies and procedures are one of the daunting tasks required by SCIDSA as the documents must be in-line with the business model and enforced.

​But wait there is more!  Complexity emerges when we dig deeper into the policy. What kind of hardware, software or technical systems will you employ to safely collect, transmit, access and store this data? How will you update, monitor, or audit this software and equipment? Will you hire an outside firm to handle any of these issues? Will you use multi-factor authentication for all users and additionally what type of data encryption will you select for the various types of electronic data that are handled? Additionally, companies need to consider the physical safeguards for buildings, equipment and electronic information systems. How do you protect the information from natural and workplace hazards? How about protection from unauthorized intrusion? Is there a business continuity plan or a disaster recovery plan in place? What backup schedule is in place to ensure recovery is possible in a timely manner? Finally, consider incident response and planning. Who will you assign to identify foreseeable internal or external threats? These resources should be able to evaluate the risk by taking into account the likelihood and potential damage of each threat in a Security Risk Assessment. As the threatscape evolves, current policies, procedure, and technologies need to be reassessed to ensure adequacy of the security program.

​Hopefully these ideas will help motivate businesses to use their time wisely and develop a comprehensive information security program before SCIDSA is fully enforced. I also hope that you will join me at the South Carolina Insurance Association’s seminar on July 26, 2018 in Columbia, SC to help answer these questions and more. Please check out my prior blog on July 6, 2018, https://www.tandemcybersolutions.com/blog/scia-educational-seminar-on-sc-insurance-data-security-act for the complete details and links. I will be sure to take good notes and pass along some of the valuable tips and resources in my next blog.