Skip ahead:
- How does Vimeo assess and mitigate the risks associated with sharing or accessing PHI through external platforms and vendors?
- Does Vimeo have an incident response plan? How often is it tested, and how confident are you in its effectiveness in responding to a potential breach or data leak?
- How does Vimeo manage user access controls, authentication, and the principle of least privilege to safeguard PHI from unauthorized access?
- How does Vimeo help covered entities safeguard PHI?
- What key security metrics does Vimeo track to assess the effectiveness of the cybersecurity program, and how are these metrics utilized to drive improvements and accountability?
How does Vimeo assess and mitigate the risks associated with sharing or accessing PHI through external platforms and vendors?
Vimeo’s third-party software vendors must pass a review process which includes the completion of a security questionnaire and a formal risk assessment to assess the criticality and security posture of the vendor. When appropriate, Vimeo requires third-party vendors to sign Vimeo’s Data Processing Addendum, Business Associate Agreement, and Supplier Security Policy.
Does Vimeo have an incident response plan? How often is it tested, and how confident are you in its effectiveness in responding to a potential breach or data leak?
Vimeo has established controls to respond quickly and efficiently in the event of an incident that results in a compromise of Vimeo services. These controls have been codified through Vimeo Security policies and procedures. They provide system-specific response teams and procedures for each type of incident. They include protocols for assessing incident severity, remediating incidents, and, where necessary, notifying affected customers.
How does Vimeo manage user access controls, authentication, and the principle of least privilege to safeguard PHI from unauthorized access?
Vimeo enforces Single Sign-On with MFA for access to internal systems that may contain customer data. Vimeo implements role-based access controls when provisioning access to internal Vimeo systems. Employees and contractors are only permitted to access data to fulfill their job roles and responsibilities. Vimeo regularly conducts access reviews for critical systems.
How does Vimeo help covered entities safeguard PHI?
Vimeo helps covered entities safeguard PHI by providing enterprise tooling, such as data retention controls and audit logging within the platform to manage PHI.
What key security metrics does Vimeo track to assess the effectiveness of the cybersecurity program, and how are these metrics utilized to drive improvements and accountability?
Vimeo has started to measure effectiveness of the cybersecurity program by using the NIST Cybersecurity framework (CSF) and measuring percentage of compliance, and ranking the level of maturity based on the Cybersecurity Capability Maturity Model. Measuring this lets us track and continuously raise the bar for Vimeo’s control maturity level over time.