Blog Post

An Information Security and Privacy Checklist for Enterprise Technology

  • LinkedIn icon
  • X/Twitter icon
  • Print icon

Bet the company litigation, antitrust investigations, global regulatory matters — these are just a few examples of the high-stakes matters FTI Technology’s teams support clients with every day. Given the sensitive nature of data involved in these cases, security and privacy are of the utmost importance. This is why the protocols and safeguards required of FTI Technology’s partners exceed industry standards at a global scale, to protect client data and personal information. 

In FTI Technology’s practices, and those expected of technology partners, security and privacy are treated as related but distinct concepts that are equally important. Security measures focus on the protection of systems, assets, information, facilities and data, while privacy controls protect how and where personal information may be viewed and used. 

When testing and evaluating a potential technology partner, the team engages in a complex and exhaustive review of the company’s technical and organizational measures, performance, capability and contractual agreements in relation to privacy and security. The findings are compared against the prospective partner’s top competitors to validate fit and acceptability. Evaluation of the partner’s viability, ethics and business practices is also undertaken, alongside review of its third-party certifications, security and privacy audits, and system testing. 

When prospective partners provide artificial intelligence or large language models, security and privacy review processes are further enhanced to ensure proper use and handling of data within analytic models. 

Privacy and security checklist 

These evaluation workflows, and the lessons learned as security and privacy best practices have evolved, serve as an effective guide for enterprises looking to uphold robust privacy and security when onboarding new technologies or engaging with new partners. 

FTI Technology has identified the following as top priorities to examine when considering new technologies or third parties. 

  • Ensuring alignment and standards across legal, statutory, regulatory, indemnities and contractual requirements: Terms for data protection, handling of personally identifiable information, personal data, intellectual property rights, copyright, right to audit, incident response and management, and propagation of FTI Technology’s security requirements throughout the partner’s supply chain must all be in place at the outset. This also includes parameters for how the partner will ensure every requirement is consistently met.  
  • Review of independent, third-party reports, certifications, accreditations and examinations: Items such as third-party penetration testing reports, SOC2 Type2 reports and ISO certifications help provide verification of a prospective partner’s claims about its privacy and security practices. Having just one is not considered sufficient. Multiple certifications and reports are required to help build assurance and trust that the environments and infrastructure are secure.
  • Vetting of technical measures: FTI Technology will closely examine a partner’s privacy and security program across vulnerability and patch management, strong password management, access controls, multifactor authentication, network segmentation, endpoint protections, data exfiltration controls, data encryption, and detection response capabilities.
  • Interoperability and integration with existing technologies: As security technologies such as encryption and identity management become increasingly accepted as industry standard, clients and partners should support integration of security platforms between trusted parties. For example, the ability to federate with partner identity providers allows FTI Technology and clients to manage and secure the user accounts, apply multifactor authentication policies and more.
  • Flexibility to adapt to unique client requirements: In certain circumstances, FTI Technology clients request additional requirements for privacy, security or risk management that may extend beyond the baseline, often related to special needs for a specific matter, timeline, geography or jurisdiction. Because of this, it’s essential for technology partners to have the ability to adapt to or implement additional measures quickly when needed. 

Additional considerations for artificial intelligence

When AI and/or generative AI technologies are involved, additional evaluation steps and contractual clauses are often needed to ensure sensitive and personal information is not misused. The technology provider’s AI governance framework and how AI-specific risks, such as data poisoning, bias and discrimination, manipulation of training data, and model theft are handled must be scrutinized to understand potential exposures related to data privacy, security, encryption, explainability, access control and transparency. 

Preventing the use of protected and sensitive data, intellectual property, personal information and copyrighted material to train large language models is also essential. Special terms and limitations may be needed to distinguish acceptable uses of data within analytic platforms from prohibited uses or manipulation. 

The security climate is always changing, so what is considered secure today may be insecure tomorrow. When organizations focus on maintaining regular third-party assessments and reviews, flexibility in risk management practices, interoperability and flexible integrations, they can uphold strong privacy and security and establish a strong foundation for leveraging artificial intelligence safely and effectively. 

Related topics:
Data Privacy Information Governance

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.

Related Solutions