P13. Security oversight
The company should clearly disclose information about its institutional processes to ensure the security of its products and services.
Elements
- Does the company clearly disclose that it has systems in place to limit and monitor employee access to user information?
- Does the company clearly disclose that it has a security team that conducts security audits on the company’s products and services?
- Does the company clearly disclose that it commissions third-party security audits on its products and services?
Research guidance
Because companies handle and store immense amounts of information about users, they should have clear security measures in place to ensure this information is kept secure. We expect companies to clearly disclose that they have systems in place to limit and monitor employee access to user information. We also expect the company to clearly disclose that it deploys both internal and external security teams to conduct security audits on its products and services.
Potential sources:
- Company privacy policies
- Company security guide