DATA-17

Does your staff (or third party) have access to institutional data (e.g., financial, PHI, or other sensitive information) through any means?

Explanation

This question is asking whether your employees or any third-party contractors can access sensitive institutional data belonging to the client organization. Institutional data typically includes personally identifiable information (PII), protected health information (PHI), financial records, student records, research data, or other confidential information. The question is being asked as part of a security assessment to understand the potential exposure of sensitive data. Organizations need to know who has access to their data when they engage with a vendor or service provider. Access to sensitive data creates risk, and the organization needs to understand: 1. If your staff can access their sensitive data at all 2. Which staff members have access 3. What controls are in place to protect that data 4. Whether any third parties (subcontractors) also have access This information helps the assessing organization determine if your access controls align with their security requirements and regulatory obligations (like HIPAA for healthcare data or GLBA for financial data). To best answer this question: - Be truthful about whether access exists - Specify which roles have access (not individual names) - Explain why access is necessary for service delivery - Describe the controls in place to protect the data - Mention any third-party access and associated controls - Include details about access monitoring and auditing If your staff does not have access to institutional data, clearly state this and explain how your service operates without requiring such access.

Example Responses

Example Response 1

Yes, our technical support staff and system administrators have access to institutional data, including financial information and PHI, on an as-needed basis to troubleshoot issues and maintain system functionality All staff with potential access undergo background checks, sign confidentiality agreements, and receive annual security awareness training Access is granted using role-based permissions, requires multi-factor authentication, and is logged for auditing purposes No third parties have access to institutional data All access events are monitored in real-time, and we conduct quarterly access reviews to ensure appropriate permissions are maintained.

Example Response 2

No, our staff does not have access to institutional data Our solution is designed with a zero-knowledge architecture where all sensitive institutional data is encrypted client-side before being stored in our systems The encryption keys are held exclusively by your institution, making it technically impossible for our staff to access readable institutional data Our support model operates using anonymized metadata only, and our maintenance procedures work with encrypted data blocks without requiring access to the underlying sensitive information No third parties are involved in our service delivery model.

Example Response 3

Yes, our development team and database administrators have access to institutional data, including financial information However, we currently do not have formal access controls or monitoring in place beyond standard login credentials We're a small team of 5 people who all know each other well, so we haven't implemented role-based access or formal auditing yet We do plan to implement more robust controls in the next 6-12 months as we grow No third parties currently have access to institutional data We recognize this is an area where we need to improve our security posture and would be happy to discuss our roadmap for enhancing these controls.

Context

Tab: Product
Category: Data