Eze Castle Integration Eze Castle Integration

Hedge IT Blog

9 Steps to Create an Information Security Plan (Webinar Replay)

By Olivia Munro,
Tuesday, January 16th, 2018

In today's changing regulatory and investor landscape, Information Security Plans are critical for hedge funds and investment management firms to comply with SEC regulations, due diligence requests and state laws. In our recent webinar, we had our in-house information security experts weigh in on Information Security Plans: what they are, why they are important, and the 9 steps your firm can take to create one.

What is an Information Security Plan and Why Have One?

An information Security plan can take on many forms, but generally it is a collection of policies and procedures around your information and data security. Some plans encapsulate all firm policies and procedures relating to data, and others work on a high level to give visibility and appease regulators. It is important to note that there are different ways to approach and prepare a firm for cybersecurity related risks and regulatory requirements to the business. Having an Information Security Plan is crucial because it is not a matter of if, but when, your firm will need a plan in place to react to an information security incident.

9 Steps to Create an Information Security Plan:

  1. Regulatory Review and Landscape 

    All businesses have requirements, and your firm needs to know what is necessary from a regulatory perspective. Requirements can come from international bodies, federal agencies, state, or even industry specific bodies, inaddition to external pressures that can come from investors, auditors, and external partners.

  2. Governance Oversight and Responsibility 

    Everyone within your organization has a role in information security, but creating a (CISRT) Computer Information Security Response Team to make sure that all employees within the company follows policy can ensure internal compliance.

  3. Take Asset Inventories 

    Knowing what your organization has for both hardware and software can help you identify any potential vulnerabilities. This can be a manual process, but there are software applications and scanning tools that can make the process easier.

  4. Data Classification 

    Knowing what data is important and what needs to be protected, in addition to knowing where the information resides, who has access, how it is stored and transferred will help you write your policies and procedures.

  5. Evaluate Available Security Safeguards

    Firms need to be aware of what policies and procedures they currently have in place including what solutions and controls can be added by their IT vendor to enhance their security.  Be aware of what safeguards are available to assist you with your existing programs.

  6. Perform a Cyber Risk Assessment

    This will help you understanding the cybersecurity risks to the firm’s operations, functions, image, reputation, and assets. This doesn’t have to be overly complex or robust, your firm can start with the basics and evolve as you grow.

  7. Perform a Third-Party Risk Assessment 

    Reviewing critical vendors on an annual basis is crucial to see if any of their practices or policies have changed. Have a checklist in place to make sure you are establishing acceptable guidelines to send to vendors.

  8. Create an Incident Response Plan

    These plans need to be realistic to your firm specifically and the vendors that have a stake in your response. Engage other parties internally such as IT, Operations, and HR, as well externally, such as service providers and third-party vendors, clients, and regulators when you create this plan.

  9. Training and Testing Employees

    Make your employees an asset instead of a threat by training and testing your employees. Reviewing internal roles and responsibilities within the firm and having training and testing throughout the year can provide more opportunity for people to have learning opportunities.

There is no time like the present to start developing an Information Security Plan, and all firms that are registered with the SEC are required to have one. For more information or a consultation, contact Eze Castle Integration.

Watch our 30-minute webinar "9 Steps to Create an Information Security Plan" here or below.

Related Articles:

Categorized under: Security  Hedge Fund Regulation 



Recent Posts / All Posts


 

Subscribe to Hedge IT

Follow Us

    Follow us on Twitter Follow us on FaceBook Follow us on LinkedIn Follow us on Google RSS Feed

Recent Articles

Categories

Archives