Don't Forget to Share this Post

Turning Hedge Fund Security Inside-Out (Webinar Recap Part 2)

By Kaleigh Alessandro | Tuesday, October 9th, 2012

Hedge fund cybersecurity is a serious concern, and our recent webinar highlighted the technical steps that firms can take to prevent, detect and respond to internal and external security threats. But in addition to implementing technical measures to protect your infrastructure, your firm must also employ operational policies and procedures to document incidents and provide transparency to investors and auditors.

The following policies and procedures are recommended as part of an overall technology and security management strategy:

Access Control

The first step you need to take is determining who at your firm needs access to what. Yes, I’m saying not every employee should be able to access every file, server, etc. Employ the principle of least privilege and only authorize access to employees who need it. The less access employees have, the less damage can be done.Security - Access Control
 
After you’ve controlled access, be sure to keep a log monitoring who accesses what. Do a regular audit to determine what access levels are in place and what changes need to be made. Remember - you aren’t saying you don’t trust your employees; rather, you trust the computers and systems they are using more.

Acceptable Use

What exactly is acceptable behavior for your employees as it relates to their technology usage? It’s best to be specific within your Acceptable Use Policy regarding what activities and programs employees are or are not permitted to access. Many investors also want a say in this process. Some demand that firms disallow access to social media sites, personal email and more. Firms can employ web filtering practices to block access to identified websites. Additionally, they can use third-party software to log activity around which employees are accessing what and what other actions they are taking (e.g. printing, copying, forwarding, etc.).

Information Security Incident Management

What about when a security incident does occur? (And if it hasn’t yet, it’s almost certain that it will eventually). What is your firm’s process for handling that situation? Determine who is responsible for incident management and what will be involved in the investigative process. As always, log what was done and by whom to keep an accurate trail of events for investors and auditors.

Personal Communications/Mobile Device Management

An important area to keep in mind as you are developing your security policies and procedures is mobile device management. With many companies opting to employ the practice of BYOD, it’s essential that they do their due diligence in preparing for potential security issues.
 
As part of your firm’s personal communications policy, be sure to include language on what is considered acceptable behavior when it comes to using mobile devices (whether company-owned or as part of a BYOD practice). Is there a limit to data usage? Is texting allowed? What procedures are in place if an employee loses his or her device? Does the company have permission to remotely wipe the device of all content? Make sure your employees understand exactly what the protocols are for using company or personal devices for work purposes.
 

Whitepaper: The Ins and Outs of Hedge Fund Network Security

Photo Credit: Markley Group

Don't Forget to Share this Post

Related Posts

Q&A Summary of Major Themes and Takeaways from ECI’s Webinar on New SEC Cybersecurity Rules
Webinar Recap: What Financial Firms Need to Know About Upcoming SEC Rules on Cybersecurity, Part 2
Webinar Recap: What Financial Firms Need to Know About Upcoming SEC Rules on Cybersecurity, Part 1
Why Your Firm Needs a Governance, Risk and Compliance (GRC) Program
A Comprehensive Approach to Security Automation
A “Just Right” Approach for Just-in-Time Access Management

How Can Eze Castle Integration help you?Contact us today!

Contact Us