Cybersecurity is a hot topic these days, so I thought it was important to touch on the importance of including cybersecurity in your firm’s Business Continuity Planning (BCP). Ideally, firms should have two separate plans: a Written Information Security Plan (WISP) and a Business Continuity Plan, keeping in mind there will be some high-level overlap.
Let’s start with the basics, such as access controls and permissions required for accessing data that is considered confidential. Access controls focus on preventing unauthorized use of an application, service, website, etc., to gain access to confidential data. Only specific users will have a business need to access confidential data. During the Business Impact Analysis (BIA) phase of business continuity planning, be sure to identify applications, services or websites that require at least one level of authentication (e.g. password protection, PC certificate, or security tokens).
Once you’ve identified the list of security dependent applications, services or websites, you will then need to ensure secure steps exist for recovering the passwords, reinstalling the PC certificate on another computer or obtaining a new security token. It’s been my experience that these security-dependent applications, services or websites, are typically very critical to the business. As a result, you want to make sure that:
1) security-dependent applications have been identified in your BIA;
2) a secure work-around for gaining access to those security-dependent applications has been created; and
3) the work-around has been thoroughly tested.
Another security consideration to be included in your BCP is the information on your shared drive, private (personal) drive and restricted drive. Notice I didn’t mention the C drive. The information saved to your C drive exists on the hard drive of your computer, completely separate from your network drives. At least once a year, I come across a user that still saves files to their C drive. Unfortunately, it is not secure and, in most cases, is not being backed up. Therefore, unless your IT professional has told you otherwise, stay away from the C drive.
Drives that are secure and replicated (or backed up), typically include your shared drives, personal drives and restricted drives. As part of your BCP, those drives should be identified and tested during your disaster recovery test. The testing will validate accessibility of shared drives by all employees and ensure secure drives are accessible only by the employees who have permission to access data on the restricted and personal drives.
In light of the recent SEC cybersecurity exam questions, I recommend firms include a cybersecurity section in their BCP. The cybersecurity overview doesn’t need to address all SEC questions. But it should include high-level information about the company’s procedures for protecting confidential data during normal business operations and during a disaster. Keep in mind, having a response to the SEC cybersecurity questionnaire is also very important, but should not be included in your BCP. Answers to those questions should be thoroughly explained in your firm’s written information security plan.
Eze Castle Integration’s WISP team is actively working with clients to respond to the SEC inquiry and develop comprehensive written plans to satisfy regulatory and investor demands. If you would like to learn more about Eze Castle’s WISP service or speak with a sales representative, please don’t hesitate to contact us.
Photo Source: Wordle