After “thousands” of exams, the Office of Compliance and Inspections and Examinations has spotted a few smart cybersecurity actions that appear to work. A new report from the division encourages firms to review their P&Ps and consider adopting some of these actions.
“Cyber threat actors are becoming more aggressive and sophisticated,” the report warns.
“OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency,” said OCIE Director Pete Driscoll. “We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices.”
The agency recognizes that there is no “one-size-fits-all approach” to cybersecurity before sharing the best practices, many of which fall under categories first identified in OCIE’s 2015 cyber risk alert.
A new seventh cyber topic
The new report is structured around the same six cybersecurity topics the agency sketched out in the 2015 risk alert: 1. Governance 2. Access Rights 3. Data Loss Prevention 4. Incident Response 5. Vendor Management and 6. Training. The new report adds a seventh topic: Mobile Security.
Here’s a sampling of the best practices shared by OCIE under these categories:
- Governance: Perform a cybersecurity risk assessment and be sure to include “remote or traveling employees, insider threats, international operations and geopolitical risks, among others.” Maintain cyber P&Ps and test and monitor for compliance.
- Access rights: Limit network access according to employee needs and periodically review these limits. It’s also wise to “re-certify users’ access rights on a periodic basis,” focusing on those with “elevated privileges,” require strong passwords that must be changed at intervals, deploy multi-factor authentication and revoke access quickly for staff and contractors who leave the firm. Scan for failed login attempts and accounts that are locked out.
- Data loss prevention: Use firewalls and other tools. Do “routine scans of software code, web applications, servers and databases, workstations and endpoints both within the organization” and at third-party providers. File under this topic keeping software security current, inventorying hardware and software, using encryption and segmenting computer networks and monitoring for insider threats.
- Mobile security: Among the strategies the report lists is to have the ability to “remotely clear data and content from a device that belongs to a former employee or from a lost device.”
- Incident response: Have a policy to escalate incidents to the appropriate people as well as to communicate “with key stakeholders.” This includes notifying clients when you suspect their data have been compromised. Have an incident response plan, test it and assign staff specific duties under the plan. Prioritize business services and map system processes. This category includes a new term: “resiliency.” OCIE defines this as a firm’s ability to “recover and again safely serve clients” after an incident.
- Vendor management: Among the tips in the report under this category is to “be aware of changes to the vendor’s services or personnel.”
- Training: You’re encouraged to include cybersecurity examples and exercises in staff training and to conduct phishing tests.