Covering FINRA's Top 7 Key Cybersecurity Practices
This month (February 2015) The Financial Industry Regulatory Authority (FINRA) issued a Report on Cybersecurity Practices to assist firms in responding to the growing threats of cyberattacks. The report centered on seven (7) “key points” as defined by FINRA.
Our team regularly counsels clients on how to address these cybersecurity practices. So in the interest of sharing, here is a high level snapshot of how Eze Castle Integration addresses the key points in the report.
Key Point 1: A sound governance framework with strong leadership is essential. Numerous firms made the point that board- and senior-level engagement on cybersecurity issues is critical to the success of firms’ cybersecurity programs.
Eze Castle Integration has an appointed Chief Information Security Officer and an established Computer Security Incident Response Team (CSIRT). CSIRT members have predefined roles and responsibilities, which can take priority over normal duties. The CSIRT team is overseen by the Chief Information Security Officer (CISO), and comprised of individuals from various groups such Network Operations, Client Services, Cloud Services, Project Management, and Human Resources.
Key Point 2: Risk assessments serve as foundational tools for firms to understand the cybersecurity risks they face across the range of the firm’s activities and assets—no matter the firm’s size or business model.
Risk Assessments are built into Eze Castle Integration’s Information Security Policy as well as our Business Continuity Plan.
From an information security/cybersecurity perspective, Eze Castle Integration retains third-party managed security provider eSentire to perform security audits on our corporate infrastructure as well as the Eze Private Cloud infrastructure.
For Business Continuity Planning, Eze Castle Integration has a Certified Business Continuity Planner on staff. The company conducts reviews of BC/DR procedures and policies. The business requirements are continually reviewed through training and testing. Technical solutions are generated to address any potential recovery gaps and exposures.
Key Point 3: Technical controls, a central component in a firm’s cybersecurity program, are highly contingent on firms’ individual situations. Because the number of potential control measures is large and situation dependent, FINRA discusses only a few representative controls here. Nonetheless, at a more general level, a defense-in-depth strategy can provide an effective approach to conceptualize control implementation.
As outlined in Eze Castle Integration’s Information Security Policy the company follows the Principle of Defense in Depth as well as Principle of Least Privilege. This includes employing multiple layers of security to protect all systems and data as appropriate, as well as limiting access to only those who need it.
Key Point 4: Firms should develop, implement and test incident response plans. Key elements of such plans include containment and mitigation, eradication and recovery, investigation, notification and making customers whole.
Eze Castle Integration has an Information Security Incident Management Policy in place. The policy outlines the requirements for dealing with computer security incidents. Security incidents include, but are not limited to: virus, worm, and Trojan horse detection, unauthorized use of computer accounts and computer systems, as well as complaints of improper use of Information Resources as outlined in the Acceptable Use Policy. Eze Castle Integration requires all employees to participate in information security training.
Key Point 5: Broker-dealers typically use vendors for services that provide the vendor with access to sensitive firm or client information or access to firm systems. Firms should manage cybersecurity risk exposures that arise from these relationships by exercising strong due diligence across the lifecycle of their vendor relationships.
Eze Castle Integration has extensive information security policies in place that are coupled with deep technical safeguards. We review all policies, employee adherence to these policies, the risk landscape and technical safeguards regularly and make adjustments as necessary.
Key Point 6: A well-trained staff is an important defense against cyberattacks. Even well-intentioned staff can become inadvertent vectors for successful cyberattacks through, for example, the unintentional downloading of malware. Effective training helps reduce the likelihood that such attacks will be successful.
All Eze Castle Integration employees are required to participate in annual educational and training sessions regarding Nonpublic Personal Information held by Eze Castle Integration. This includes all permanent and part-time employees, applicants, independent contractors/consultants, etc. The training sessions address the security precautions contained in the company’s Information Security Policy.
The training sessions also address security practices and procedures, including reporting procedures, material packaging or forwarding, preparation of media, e.g., CDs, DVDs, wireless devices, hard drives, security conditions during travel and other issues. All new hires entering Eze Castle Integration receive Nonpublic Personal Information training during the New Hire Orientation. New hires will receive a copy of this policy and implementing procedures for the department to which they are assigned.
As part of Eze Castle Integration’s Business Continuity Plan, quarterly a few employees are selected from each department at each office to participate in a remote test (i.e., work from their home). The goal is to validate connectivity and access to critical applications through the primary data center.
Key Point 7: Firms should take advantage of intelligence-sharing opportunities to protect themselves from cyber threats. FINRA believes there are significant opportunities for broker-dealers to engage in collaborative self-defense through such sharing.
Eze Castle Integration participates in industry groups to share information and stay current on the evolving technology and cybersecurity landscape.