The way the assessment progressed was really quite simple. Bob and I would move from different operational areas, such as account reps, customer service, IT, human resources, or sales, and interview people on what they did each day. After understanding their responsibilities in that area, we would then ask about what information they handled in regards to their clients. This was a financial services company, so they handled a large volume of bank account and credit card information. Knowing what they do with the personal information is integral to understanding their privacy policies.
We also looked at the changes to the environment. We noticed that they had installed several boxes for the shredding of sensitive documents around every area of their office. This meant that they could improve on another area from the previous assessment, which was keeping desks clean from documents. You do not know who is coming around your desk while you aren’t there, so keeping any and all sensitive papers locked in your desk, or in a shredder box if they are no longer needed, cuts down on breach possibilities.
After meeting with many different individuals over several days, it was clear that having a third party assessment provided a fresh look into their privacy policies. Clearly, our client had taken the previous assessment to heart and had improved in all areas. They were storing and disposing information more carefully and were implementing procedures for in the event of a breach. Our previous assessment not only led to a strong implementation of privacy policies, but also better security for their employees, and even more important, their clients.