Post Top Ad

Your Ad Spot

Blog Archive

Tuesday, December 4, 2018

Compliance - Creating your Cybersecurity Plan

By Cory Roberson, Principal of FIN Compliance and FIN Community
By David McNeal, Contributor of My Compliance Blog  
Framing cybersecurity into your firm's compliance program? 

December 4, 2018. The US Securities and Exchange Commission (SEC) and state regulators are taking action against cyber-security practices of advisory firms after finding 590 deficiencies in audits last year. 

Earlier this year, the SEC published a report investigating some instances of cyber fraud and the internal accounting requirements of public sector issuers. The report was released by the SEC less than one month after its first enforcement action of the Identity Theft Red Flag Rule, settling against Voya Financial Advisors Inc, an Iowa-based investment advisory firm who agreed to pay $1 million in fines for insufficient cybersecurity policies and procedures resulting in a cyber intruder compromising the personal information of thousands of customers. 

These are clear examples of how the SEC and other regulators will continue to investigate cyber intrusions, expose flaws in companies’ cybersecurity posture, and impose significant penalties for noncompliance with privacy laws.

Developing a coherent cybersecurity strategy is now one of the most critical challenges facing Registered Investment Advisors (RIA). Companies should review their cybersecurity policies and procedures for any compliance gaps and ensure that employees are adequately trained. 

The following is a set of policies to consider adding to your company's data protection and cybersecurity infrastructure. 

Acceptable Encryption Policy 
Acceptable encryption policy provides guidance and limits to the use of specific encryption algorithms. It also helps ensure compliance with federal, state and international regulations. 

Acceptable Use Policy 
Acceptable use policy to describe the acceptable use of computer equipment in your company. These rules protect both, the worker and your company. 

Clean Desk Policy 
Clean Desk Policy sets the minimum requirements for the maintenance of a “clean desk", so sensitive information about our employees, intellectual property, customers and suppliers is secure and stored out of sight. A Clean Desk policy not only complies with ISO 27001/17799 but also with GDPR. 

Data Breach Response Policy 
The data breach response policy sets out the goals for the breach response process. This policy clearly defines a data breach, the roles and responsibilities of employees, reporting standards and metrics, remediation and feedback mechanisms in case a breach occurs. 

Disaster Recovery Plan Policy 
The Disaster Recovery Plan Policy defines the recovery process for IT systems, applications, and data in case of any disaster that causes a system failure. 

Digital Signature Acceptance Policy 
The Digital Signature Acceptance Policy is intended to provide guidance on validating a signer's identity in your company's electronic documents. Since communication is mainly electronic, the aim is to reduce confusion about the trust of a digital signature. 

Email Policy 
The email policy sets the minimum requirements for the use of emails within your network of companies. 

Ethics Policy 
The ethical policy is to create a culture of openness, confidence and emphasize the expectations of fair business practices. Practical ethics is a team effort involving your company's employees. 

Pandemic Response Planning Policy 
Pandemic Response Planning Policy provides directions and disaster recovery procedures to plan for and prepare for the rare event of a pandemic disease outbreak. The objective is to address the fact that pandemic events can create problems beyond the scope of traditional staff and technology planning. 

Password Construction Guidelines 
The Password Construction Guidelines are designed to provide best practices for strong password creation. 

Password Protection Policy 
The Password Protection Policy establishes a protection standard for distributing and storing passwords. 

Security Response Plan Policy 
The Safety Response Plan policy requires that all business units develop and maintain a safety response plan. This ensures that the security response team has all the necessary information to respond effectively to a safety incident. 

End User Encryption Key Protection Policy 
The End User Encryption Key Protection Policy sets out the protection requirements for end-users with encryption keys. These requirements are intended to avoid unauthorized disclosure, negligence, and wrongful abuse of encryption keys. 

Acquisition Assessment Policy 
Acquisition Evaluation Policy defines the minimum security requirements for an Infosec acquisition evaluation. 

Bluetooth Baseline Requirements Policy 
The Bluetooth Baseline Requirements Policy provides a minimum standard to connect Bluetooth devices to the network devices of your company. The minimum standard shall protect personal data and critical company information. 

Remote Access Policy 
The Remote Access Policy lays down the rules and conditions for connecting any host to your company's network. These rules and requirements are intended to reduce the potential risk of damage to your company due to the unauthorized use of your company resources.  

Remote Access Tools Policy 
The Remote Access Tools policy applies to all tools used for remote access connections from your company's equipment. 

Router and Switch Security Policy 
The Router and Switch Security Policy describes the minimum security configuration required for all routers and switches connected to or used on behalf of your company in production capacity. 

Wireless Communication Policy 
Wireless Communication Policy is to maintain the confidentiality, integrity, and availability of all communications connected to your company's wireless network. 

Wireless Communication Standard 
The Wireless Communication Standard sets out the technical requirements for connecting wireless infrastructure devices to your company network. 

Database Credentials Policy 
Database Credentials Policy sets out the requirements for a program to access a database running on one of the networks of your company. 

Technology Equipment Disposal Policy 
Technology equipment management policy defines the guidelines for disposing of your company's equipment and components. 

Information Logging Standard 
Information Logging Standard is to identify the specific requirements for access logs and audits management of a company. 

Lab Security Policy 
Lab Security Policy sets out information security requirements to help manage and safeguard laboratory resources by minimizing the threat of data exposure to unauthorized accessors. 

Server Security Policy 
Server security policy is to set the basic configuration standards for the servers and data storage equipment of your company. 

Software Installation Policy 
The software installation policy describes the software installation requirements on company devices. 

Workstation Security (For HIPAA) Policy 
The Workstation Security Policy ensures compliance with the requirements of the HIPAA Workstation Security Rule 164.310(c). 

Web Application Security Policy 
The Web Application Security Policy defines the security assessments of web applications within your business. 

Data security is not just the responsibility of the IT department. Everyone in the company must be included in the data security plan to explain why and how safety concerns are addressed. 

You also want a designated team to review data security policies regularly. This keeps your company up to date with new regulations and ensures constant compliance to avoid high-costing violation penalties imposed by the SEC or state regulatory authorities. 

Source: SANS Training Institute -  

Contact:  Cory Roberson/650-305-2688/  

Cybersecurity Plan templates are now available on RIA Review for paid subscribers.  


Compliance and Business Management

FIN Compliance ( is a consortium of compliance services including: RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management software tool, and FINLancer is a business management portal featuring:  E-signature tools; Invoicing integration, Vendor Directory, continuity directory*, business client document portal, and more (available by Q3 2019).  Access all services on one site:


FIN Missions ( provides business support group sessions for other entrepreneurs.  In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.


Alia parker said...

Thankful for sharing, for instance, vital information, Its help me to comprehend about front line security. In actuality, it wires frames in a general sense corresponding to controlled cybersecurity services. Its furthermore give you exceptional information about Cybersecurity, cloud accumulating, cloud courses of action.

Cory Roberson said...

Thanks Alia for your comments. Are you in the investment industry or are you considering options for your business.

Post a Comment

Post Top Ad

Your Ad Spot