Eze Castle Integration

Written Information Cybersecurity
Policy Consulting Services


 

Hedge Fund Cyber security plan and policiesCybersecurity threats facing the hedge fund and financial industry are intensifying as is the focus of the Securities and Exchange Commission (SEC) to ensure firms are prepared and have detailed information security policies in place. On April 15, 2014, the SEC stated the Office of Compliance Inspections and Examinations (OCIE) will be conducting examinations of registered entities regarding cybersecurity matters. As part of the exam, the SEC will be reviewing firms' written information security plans and policies.

Eze Castle Integration's experienced consultants are working with hedge funds and alternative investment firms to create Written Information Security Policies (WISP) that address the administrative and technical safeguards a firm needs to withstand a cybersecurity incident and demonstrate preparedness.

Since 2009, when the Massachusetts data privacy law went into effect, our team has worked with clients to create information security policies and incident response plans.

What is a Written Information Security Policy? 

A Written Information Security Policy outlines the adminstrative and technical safeguards a firm has in place to ensure confidential data is protected.

Administrative Safeguards:

  • Defines confidential data
  • How confidential data is protected
  • Where confidential data is located (i.e., shared drive, externally hosted, hard copy format, etc.)
  • Who has access to confidential data and do they have a business need
  • Roles and responsibilities for responding to a data breach or cybersecurity incident
  • Internal and external communication procedures for responding to an incident
  • Employee responsibilities and training

Technical Safeguards:

  • Assessment of technical safeguards (i.e., penetration testing, email encryption, software patches, vulnerability assessments, firewalls, etc.)
  • Evaluation of technical policies/Cybersecurity Tracking Sheet (i.e., strong password policy, access controls, USB policy, hard copy documentation policy, etc.)
  • If needed, implementation of additional technical safeguards

How You Know If You Need a WISP

Any person or company that has access to client or employee information needs to ensure they implement the appropriate level of administrative and technical safeguards.

Anyone or anything with access to your confidential information needs to have preventative measures in place for protecting confidential data.

A WISP will provide detailed policies and procedures for ensuring confidential data is protected, how it’s being protected and who is ensuring it’s protected.


Watch Our Webinar & Hear More

Members of Eze Castle’s Cybersecurity Incident Response Team (CSIRT) addressed the SEC’s recent recommendations and provided guidance around how firms can prepare. Specific discussion points included:

  • How firms can identify cybersecurity risks;
  • Sample answers to the SEC’s cybersecurity questionnaire;
  • Policies to implement regarding infrastructure risk and access control; and
  • The importance of written information security policies (WISP).

Watch the video or read the recap.

Hedge Fund Cybersecurity Guide