6 Key Areas Of Focus
On September 15, 2015, the Office of Compliance Inspections and Examinations (“OCIE”) of The U.S. Securities and Exchange Commission (“SEC”) issued an Alert (the “Alert”) to provide guidance concerning the series of cybersecurity examinations it began conducting in late 2014 and early 2015. In the Alert, the OCIE stated that audits will involve more testing to assess implementation of procedures and controls around cybersecurity in six priority areas:
- Governance and Risk Assessment
- Incident Response
- Access Rights and Controls
- Data Loss Prevention
- Vendor Management
Below are six things we recommend all our clients do before your OCIE cybersecurity audit.
- Establish a Cyber Governance Committee/Draft Cyber Governance Charter
Establishing a Cyber Governance Committee if there is not one, or a body that explicitly oversees such (some incident response committees are designed to cover). Drafting or updating a cybersecurity governance charter specifying the responsibilities, coordination and choreography among stakeholders before, during, and after an incident, investigation, remediation, or government inquiry or enforcement action.
- Build-Out Cyber Program and Incident Response Documentation
Building, modifying, and collecting global cyber program policies, procedures, training, incident response/breach notification plans, and other of the OCIE-enumerated 46 documents. Often, such documents exist in multiple places within an organization and need to be integrated and harmonized across countries or among business units and functions. Cyber Program can be treated separate from or an expansion of the traditional program—there are many overlapping stakeholders and safeguards, but cyber is a newer, increasingly sophisticated threat to which many organizations are applying new expertise and new approaches.
- Assess Security Program, Access Controls, and Gaps/Coordination with Cyber Needs
Reviewing scope, frequency, and evidence of attack and penetration testing, advance persistent threat scans and malware forensics, and assessing patch management, use of data loss prevention tools, access controls, procedures for granting system rights, renewal and termination procedures, and multi-factor authentication strategy. Also, many companies are leveraging external experts and reports to benchmark Security Program staffing, organization structure, and funding against industry norms or other best practices.
- Design Procedures for Threat Intelligence and Information Sharing
Develop procedures to evaluate threat-intelligence suppliers and to process and document responses to threat intelligence information, while also creating guidelines on when and how to share attack information with government entities or others within the industry without running afoul of antitrust or other constraints and without destroying legal privilege.
- Enhance Vendor Safeguards
Making more rigorous the vendor cybersecurity (and privacy/data protection) pre-contract assessment process, contractual safeguards and post-contract audit procedures.
- Cyber Training and Launch Cyber Simulation Wargames
Supplementing existing security, privacy, and/or data handling training to address cyber awareness, reporting/escalation, and response. Also, it has become industry common practice to run a series of simulated cyber-attacks to test incident response and breach notification procedures and coordination among business, IT, legal/privacy, PR, external counsel, external forensics firms, and other stakeholders.
A pro-active approach to improving your overall security framework will prove the least costly to preparing for your SEC Cybersecurity Exam. Putting prevention measures in place now can save your company not only time, money, production resources, but will also provide you and your customer a level of trust and confidence rather than the embarrassment of full customer disclosure that their personal information has been compromised and could be used in a fraudulent manner. TBG can help you prepare by first performing a Security Readiness Assessment to see how your company would fare in a real cybersecurity audit.
For more information on how TBG Security can help your organization reach compliance contact our our Compliance Practice Manager or call us directly at 877.233.6651 ext 704.