DRPV-09

Do you protect personal information against unauthorized access (both physical and logical)?

Explanation

This question is asking whether your organization has implemented measures to protect personal information (PI) from unauthorized access, both physically (e.g., facility access controls) and logically (e.g., system access controls). Personal information includes any data that can identify an individual, such as names, addresses, Social Security numbers, financial information, health records, etc. The question is being asked because protecting PI is a fundamental requirement of many privacy regulations (like GDPR, CCPA, HIPAA) and is essential for maintaining customer trust. In a security assessment, this question helps evaluators understand if you have comprehensive controls in place to prevent unauthorized parties from accessing sensitive personal data. This includes both physical controls (like secure facilities with badge access) and logical controls (like authentication, encryption, and access management). To best answer this question, you should describe your specific controls for both physical and logical protection of personal information. Include details about: 1. Physical safeguards: Building security, access cards, visitor policies, secure storage areas 2. Logical safeguards: Access controls, authentication requirements, encryption, data loss prevention 3. Policies and procedures: How you manage access rights, conduct reviews, and handle violations 4. Monitoring and auditing: How you detect and respond to unauthorized access attempts

Example Responses

Example Response 1

Yes, we protect personal information against unauthorized access through comprehensive physical and logical controls For physical protection, our data centers require multi-factor authentication for entry, with 24/7 security personnel, CCTV monitoring, and mantrap entries All visitors must be pre-approved, escorted, and logged For logical protection, we implement role-based access control (RBAC) with least privilege principles, requiring multi-factor authentication for all systems containing personal information All personal data is encrypted both in transit and at rest using industry-standard encryption (AES-256) We conduct quarterly access reviews to verify appropriate permissions, and our security team uses a SIEM solution to monitor for unauthorized access attempts in real-time All access to personal information is logged and audited monthly.

Example Response 2

Yes, our organization maintains strict controls to protect personal information Physical protection includes badge access systems at all entry points, with different security zones requiring increasing levels of authorization Server rooms containing personal data are restricted to IT personnel only and require biometric verification For logical protection, we implement network segmentation to isolate systems with personal information, require strong passwords with 90-day rotation policies, and enforce multi-factor authentication for remote access All personal data is classified according to sensitivity levels with corresponding access restrictions We use data loss prevention (DLP) tools to prevent unauthorized exfiltration of personal information, and all access attempts are logged We conduct annual penetration testing specifically targeting our personal information protection controls.

Example Response 3

No, we currently have partial protections for personal information but acknowledge gaps in our security posture While we have implemented basic logical controls such as password protection and standard network firewalls, we lack comprehensive physical security measures beyond standard office locks We do not currently encrypt all personal information at rest, and our access review process is manual and performed irregularly We're working to address these gaps through a security improvement plan that includes implementing encryption across all systems storing personal information, establishing formal access review procedures, and enhancing our physical security with badge access systems and visitor management We expect these improvements to be completed within the next 6 months.

Context

Tab
Privacy
Category
Data Privacy

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron