The following list identifies core controls that are needed to be evidenced demonstrating a firms’ cybersecurity program. To establish an effective program, however, firms will need to consider these measures in the context of their business model and technology infrastructure.
Patch Maintenance. Enable the automatic patching and updating features of operating systems and other software to help firms maintain the latest security controls.
Secure System Configuration. When configuring systems and software, use vendor guidance or industry standards, such as those published by the Center for Internet Security (“CIS”)
Identity and Access Management. Limit access to confidential customer and firm information based on business need. Tightly restrict use of “admin” or highly privileged entitlements and regularly review user accounts and privileges to modify or delete those which are no longer necessary to achieve business objectives.
Vulnerability Scanning. Use Commercial Off-The-Shelf (“COTS”) software or third-party vendors to continuously scan for vulnerabilities and quickly address detected discrepancies.
Endpoint Malware Protection. Install COTS software on firm computers, servers and firewalls to detect and block viruses and other malware.
E-mail and Browser Protection. Install software or use services to block web-based e-mail programs and unsafe content received through e-mail (e.g., phishing attacks) or accessed via web browsers.
Perimeter Security. Use network access controls, such as firewalls, to block unnecessary connectivity between firm systems and outside systems. If feasible, incorporate an Intrusion Detection and Prevention.
Security Awareness Training. Provide cybersecurity training to all employees upon their employment and at least annually thereafter (but preferably more often) to ensure all users are aware of their responsibilities for protecting the firm’s systems and information. Training should address common attacks, how to avoid becoming a victim and what to do if you notice something suspicious. Consider implementing an ongoing phishing awareness campaign.
Risk Assessments. Conduct annual risk assessments and testing of firm controls to verify effectiveness and adequacy. This assessment may be accomplished using third-party or firm security experts.
Data Protection. Encrypt critical data, back it up frequently and store copies of back-ups offline. Regularly test the firm’s ability to restore data. Consider blocking USB ports and use of all removable data storage devices, including CDs and flash drives
Third-Party Risk Management. Review System and Organization Controls (SOC) or SSAE 18 reports for third party vendors and other partners with access to confidential firm and customer data to ensure they have security controls commensurate with, or better, than the firm’s. All contracts should have provisions to enforce controls to protect data, including prompt notification of any changes to those controls and vulnerabilities or breaches that may affect the firm.
Branch Controls. Ensure that branches apply and enforce relevant firm cybersecurity controls, which may include many of the controls identified in this list, as well as other relevant controls.
Policies and Procedures. Create policies and procedures that address each category of controls applicable to the firm, such as those identified in this list.