Breaking

Post Top Ad

Your Ad Spot

Blog Archive

Thursday, May 30, 2019

SEC Risk Alert - Data Security and Use of Third Party Vendors

David McNeal, Consultant and Contributor of My Compliance Blog
Cory Roberson, Principal of FIN Compliance and FIN Lancer

May 30, 2019. The SEC Office of Compliance Inspections and Examinations (“OCIE”) published a security risk alert based on their findings of broker-dealer and investment adviser firms storing electronic customer records and information using various types of storage, including third-party vendor solutions.

Data Protection – (Rule: S-P. 17 C.F.R. 248.30(a)) requires every SEC-registered broker-dealer and investment adviser to adopt written policies or procedures addressing administrative, technical and physical safeguards in place to protect customer records and information.

During examinations, OCIE staff reported the following concerns that may raise compliance issues under Regulations S-P and S-ID:

Misconfigured network storage solutions.
In some cases, companies have not properly configured their network-storage solution's security settings to protect against unauthorized access. Moreover, some companies did not have policies or procedures to address their network storage solutions ' security configuration. Furthermore, incorrect configuration resulted from inefficient monitoring of existing storage solutions.

Inadequate oversight of vendor-provided network storage solutions.
In other cases, companies have not made sure that the safety settings for networking solutions provided by the vendor are configured according to the company's standards of policies, procedures, contractual provisions or otherwise.

Insufficient data classification policies and procedures.
Lastly, the OCIE reports that policies and procedures of some companies have not identified the different data types electronically stored by the firm and the appropriate checks for each data type.

For instance, the popular CRM vendor Redtail experienced a data breach due to “inadvertently stored investors' personal information on a debug log file.”  Cybersecurity experts think that this vendor is not alone in its risks associated with accessing data in debug mode.


Effective Practices

The risk alert recommends firms to implement a configuration management program that includes data classification, vendor supervision and security policy and procedures to mitigate risks associated with the use of on-site or cloud network storage solutions.

The OCIE suggests the following examples are features of effective configuration management programs, data classification procedures, and vendor management programs, including:

Policies and procedures designed to support installation of the network storage solutions, ongoing maintenance and regular review.

Security check guidelines and baseline configuration standards to ensure proper protection levels for each network solution.

The vendor management policies and procedures should include, among other things, regular software patch and hardware updates and reviews to ensure that such patches and updates have not changed, weakened or otherwise modified safety settings unintentionally.

The OCIE highlighted risks related to broker-dealers and investment advisors using the cloud and other types of network storage solutions for securing electronic records and information.

The risk alert can be found at:

Cloud Directory Users: Our cloud data security on FIN Compliance

Our RIA Cloud Storage is powered by Google Cloud Platform, a third-party cloud computing service by Google that offers hosting on the same supporting infrastructure that Google uses internally for end-user products like Google Search and YouTube. Cloud Platform provides developer products to build a range of programs from simple websites to complex applications. FIN Compliance is not affiliated with Google nor any of its affiliates.

Google maintains the following security certifications:

SOC1™ (SSAE-16/ISAE-3402) - G Suite, Google Compute Engine, Google Cloud Storage, Google App Engine
SOC2™- G Suite, Google Compute Engine, Google Cloud Storage, Google App Engine
SOC3™- G Suite, Google Compute Engine, Google Cloud Storage, Google App Engine
ISO27001 - for G Suite and Google Cloud Platform
ISO27017 - for G Suite and Google Cloud Platform
ISO27018 - for G Suite and Google Cloud Platform
HIPAA - G Suite, Google Compute Engine, Google Cloud Storage, Google Big Query, Google Cloud SQL
HIPAA - Google App Engine, G Suite
FEDRAMP - Google App Engine, G Suite

Second factor authentication
Users can add another layer of security through the use of password Security Questions

In addition, we recommend firms to implement a policy for password storage, updating passwords, employee recordkeeping, access privileges, and other data safeguarding in their compliance/operations manuals.  We encourage the use of encrypting any document files that contains customer personal identification information.

Security enhancements/updates
Based on these alerts, we will be creating our configuration management program to include data classification, vendor supervision and security procedures to mitigate risks associated with our on-site or cloud network storage solution. 

An overview of these policies will be updated on our Disclaimers/Security page found here: https://fincompliance.io/Disclaimers

Clients may contact us for more information on our cloud storage system capabilities. 


Compliance/Business Management Systems

About FIN Compliance 

FIN Compliance (FinCompliance.io) is a consortium of compliance services including: RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management software tool, FIN Ventures, providing business/startup strategies, and FINLancer, a business management portal featuring:  E-signature tools; Invoicing integration, Vendor Directory, continuity directory*, business client document portal, and more (available by Q4 2019).  

Access all services on one site: FINCompliance.io.

Review our brochure here


Our Products and Services

RIA Registration Services:  Adding new Jurisdictions
Compliance Consulting:  Ongoing review Assistance, policy & procedures, and filings.
Compliance Management System: for internal review process.
Business Management System: for Project/Task Delegation, Business/Firm Directory, E-contracts, workflows, and more 

Succession Planning/Transition and, Partner Matchmaking Services

We are pleased to announce a new deal flow service that includes transition planning, deal flow, and partnerships. We will have more information available as our offering develops.  Both older and new advisors alike can begin to prepare for changes in the industry.  It’s a good time to evaluate opportunities whether you are a young firm looking to buy a book of business or an older advisor looking to establish an exit for retirement.  For firms interested, we are offering a matchmaking service to connect older and new firms together for deal flow, succession planning, partnerships, and more.  



Business Directory 


Impact

FIN Missions (FINmissions.com) provides business support group sessions for other entrepreneurs.  In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.

19 comments:

  1. It was all around exquisite to investigate an article made on this blog. I may in like way need to consolidate a couple of structures with the best of my insight which can help the peruser to a normally extending degree. cyber security services

    ReplyDelete
  2. Today almost every industry is working in digital space to either market their products effectively or to communicate between their teams globally. Especially companies spread across the globe, working on several domains seek a crystal clear communication. Get  business texting app for that purpose.

    ReplyDelete
  3. You have outdone yourself this time. It is probably the best, most short step by step guide that I have ever seen. Integriti Access Control Melbourne

    ReplyDelete
  4. On the off chance that this administrator essentially shows the cell set in line I and section j, the entrance in memory to that cell will be completed by moving from I * all out number of segments + j spaces in the memory. ExcelR Data Science Courses

    ReplyDelete
  5. https://www.flowingcode.com/2017/10/implementing-spring-security-on-vaadin.html?showComment=1568278725712#c6502624274931993937

    ReplyDelete
  6. As the problem solution, this platform provides scalability, security and rich data analysis for transforming real-time data streams into effective and functional customer insights for business development and success.Data Analytics Courses

    ReplyDelete
  7. After reading your article I was amazed. I know that you explain it very well. And I hope that other readers will also experience how I feel after reading your article.

    Digital marketing course

    ReplyDelete
  8. I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it.
    data analytics course
    business analytics course
    data science courses

    ReplyDelete
  9. This Was An Amazing ! I Haven't Seen This Type of Blog Ever ! Thankyou For Sharing, data science training

    ReplyDelete
  10. Very interesting blog. Many blogs I see these days do not really provide anything that attracts others, but believe me the way you interact is literally awesome.You can also check my articles as well.

    Data Science In Banglore With Placements
    Data Science Course In Bangalore
    Data Science Training In Bangalore
    Best Data Science Courses In Bangalore
    Data Science Institute In Bangalore

    Thank you..

    ReplyDelete
  11. Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.
    Data Science Training Institute in Bangalore

    ReplyDelete
  12. I really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post. Hats off to you! The information that you have provided is very helpful.
    Best Data Science Courses In Bangalore

    ReplyDelete
  13. You actually make it look so easy with your performance but I find this matter to be actually something which I think I would never comprehend. It seems too complicated and extremely broad for me. I'm looking forward for your next post, I’ll try to get the hang of it!
    <a href="https://360digitmg.com/india/data-science-using-python-and-r-programming-bangalore
    >Data Science</a> Course in Bangalore

    ReplyDelete
  14. I have express a few of the articles on your website now, and I really like your style of blogging. I added it to my favorite’s blog site list and will be checking back soon…
    Data ScienceTraining in Bangalore

    ReplyDelete
  15. Attend The Data Analyst Course From ExcelR. Practical Data Analyst Course Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Data Analyst Course.
    Data Analyst Course

    ReplyDelete
  16. Very nice blogs!!! i have to learning for lot of information for this sites…Sharing for wonderful information.Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing, best data science courses in hyderabad

    ReplyDelete
  17. "Thank you for sharing wonderful information with us.Really useful for everyone data scientist courses
    "

    ReplyDelete
  18. very well explained. I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.
    Correlation vs Covariance
    Simple Linear Regression
    data science interview questions
    KNN Algorithm
    Logistic Regression explained

    ReplyDelete

Post Top Ad

Your Ad Spot

Pages