Employers and employer agents who use E-Verify through a Web service must ensure that information they share through the Web service software with DHS is appropriately protected through means that are comparable to security provided within the DHS environment. The following are best practices to achieve information security:
- Conduct periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the DHS, SSA, and the Web service E-Verify Employer, E-Verify employer agent and its clients.
- Develop policies and procedures that are based on risk assessments, reduce information security risks to an acceptable level, and ensure that information security is addressed
- Implement subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate.
- Conduct security awareness training for Web services users, contractors and others who use the information systems to support operations and manage assets. This training informs the users of the information security risks and responsibilities associated with their activities in complying with organizational policies and procedures designed to reduce these risks.
- Develop periodic testing to evaluate the effectiveness of information security policies, procedures, practices, and security controls. The frequency of this testing and evaluation depends on the level of risk, but must be conducted at least once per year.
- Develop a corrective process sometimes referred to as a “Corrective Action Plan.” This plan implements, evaluates and documents remedial actions addressing any deficiencies in information security policies, procedures, and practices.
- Implement security incident procedures for detecting, reporting, and responding to incident, sometimes referred to in security circles as a “Significant Incident Report (SIR)” or “Security Incident Report.”
- Create continuity of operations (COOP) plans and procedures to ensure ongoing operations for information systems that support the operations and assets of the organization.
- Establish the appropriate rules for the use and protection of information, as the ultimate responsibility for sharing or providing information rests with the information owner.