Hedge fund cybersecurity is a serious concern, and our recent webinar highlighted the technical steps that firms can take to prevent, detect and respond to internal and external security threats. But in addition to implementing technical measures to protect your infrastructure, your firm must also employ operational policies and procedures to document incidents and provide transparency to investors and auditors.
The following policies and procedures are recommended as part of an overall technology and security management strategy:
The first step you need to take is determining who at your firm needs access to what. Yes, I’m saying not every employee should be able to access every file, server, etc. Employ the principle of least privilege and only authorize access to employees who need it. The less access employees have, the less damage can be done.
After you’ve controlled access, be sure to keep a log monitoring who accesses what. Do a regular audit to determine what access levels are in place and what changes need to be made. Remember - you aren’t saying you don’t trust your employees; rather, you trust the computers and systems they are using more.
What exactly is acceptable behavior for your employees as it relates to their technology usage? It’s best to be specific within your Acceptable Use Policy regarding what activities and programs employees are or are not permitted to access. Many investors also want a say in this process. Some demand that firms disallow access to social media sites, personal email and more. Firms can employ web filtering practices to block access to identified websites. Additionally, they can use third-party software to log activity around which employees are accessing what and what other actions they are taking (e.g. printing, copying, forwarding, etc.).
Information Security Incident Management
What about when a security incident does occur? (And if it hasn’t yet, it’s almost certain that it will eventually). What is your firm’s process for handling that situation? Determine who is responsible for incident management and what will be involved in the investigative process. As always, log what was done and by whom to keep an accurate trail of events for investors and auditors.
Personal Communications/Mobile Device Management
An important area to keep in mind as you are developing your security policies and procedures is mobile device management. With many companies opting to employ the practice of BYOD, it’s essential that they do their due diligence in preparing for potential security issues.
As part of your firm’s personal communications policy, be sure to include language on what is considered acceptable behavior when it comes to using mobile devices (whether company-owned or as part of a BYOD practice). Is there a limit to data usage? Is texting allowed? What procedures are in place if an employee loses his or her device? Does the company have permission to remotely wipe the device of all content? Make sure your employees understand exactly what the protocols are for using company or personal devices for work purposes.
Photo Credit: Markley Group