Breaking

Post Top Ad

Your Ad Spot

Blog Archive

Thursday, May 30, 2019

SEC Risk Alert - Data Security and Use of Third Party Vendors

David McNeal, Consultant and Contributor of My Compliance Blog
Cory Roberson, Principal of FIN Compliance and FIN Lancer

May 30, 2019. The SEC Office of Compliance Inspections and Examinations (“OCIE”) published a security risk alert based on their findings of broker-dealer and investment adviser firms storing electronic customer records and information using various types of storage, including third-party vendor solutions.

Data Protection – (Rule: S-P. 17 C.F.R. 248.30(a)) requires every SEC-registered broker-dealer and investment adviser to adopt written policies or procedures addressing administrative, technical and physical safeguards in place to protect customer records and information.

During examinations, OCIE staff reported the following concerns that may raise compliance issues under Regulations S-P and S-ID:

Misconfigured network storage solutions.
In some cases, companies have not properly configured their network-storage solution's security settings to protect against unauthorized access. Moreover, some companies did not have policies or procedures to address their network storage solutions ' security configuration. Furthermore, incorrect configuration resulted from inefficient monitoring of existing storage solutions.

Inadequate oversight of vendor-provided network storage solutions.
In other cases, companies have not made sure that the safety settings for networking solutions provided by the vendor are configured according to the company's standards of policies, procedures, contractual provisions or otherwise.

Insufficient data classification policies and procedures.
Lastly, the OCIE reports that policies and procedures of some companies have not identified the different data types electronically stored by the firm and the appropriate checks for each data type.

For instance, the popular CRM vendor Redtail experienced a data breach due to “inadvertently stored investors' personal information on a debug log file.”  Cybersecurity experts think that this vendor is not alone in its risks associated with accessing data in debug mode.


Effective Practices

The risk alert recommends firms to implement a configuration management program that includes data classification, vendor supervision and security policy and procedures to mitigate risks associated with the use of on-site or cloud network storage solutions.

The OCIE suggests the following examples are features of effective configuration management programs, data classification procedures, and vendor management programs, including:

Policies and procedures designed to support installation of the network storage solutions, ongoing maintenance and regular review.

Security check guidelines and baseline configuration standards to ensure proper protection levels for each network solution.

The vendor management policies and procedures should include, among other things, regular software patch and hardware updates and reviews to ensure that such patches and updates have not changed, weakened or otherwise modified safety settings unintentionally.

The OCIE highlighted risks related to broker-dealers and investment advisors using the cloud and other types of network storage solutions for securing electronic records and information.

The risk alert can be found at:

Cloud Directory Users: Our cloud data security on FIN Compliance

Our RIA Cloud Storage is powered by Google Cloud Platform, a third-party cloud computing service by Google that offers hosting on the same supporting infrastructure that Google uses internally for end-user products like Google Search and YouTube. Cloud Platform provides developer products to build a range of programs from simple websites to complex applications. FIN Compliance is not affiliated with Google nor any of its affiliates.

Google maintains the following security certifications:

SOC1™ (SSAE-16/ISAE-3402) - G Suite, Google Compute Engine, Google Cloud Storage, Google App Engine
SOC2™- G Suite, Google Compute Engine, Google Cloud Storage, Google App Engine
SOC3™- G Suite, Google Compute Engine, Google Cloud Storage, Google App Engine
ISO27001 - for G Suite and Google Cloud Platform
ISO27017 - for G Suite and Google Cloud Platform
ISO27018 - for G Suite and Google Cloud Platform
HIPAA - G Suite, Google Compute Engine, Google Cloud Storage, Google Big Query, Google Cloud SQL
HIPAA - Google App Engine, G Suite
FEDRAMP - Google App Engine, G Suite

Second factor authentication
Users can add another layer of security through the use of password Security Questions

In addition, we recommend firms to implement a policy for password storage, updating passwords, employee recordkeeping, access privileges, and other data safeguarding in their compliance/operations manuals.  We encourage the use of encrypting any document files that contains customer personal identification information.

Security enhancements/updates
Based on these alerts, we will be creating our configuration management program to include data classification, vendor supervision and security procedures to mitigate risks associated with our on-site or cloud network storage solution. 

An overview of these policies will be updated on our Disclaimers/Security page found here: https://fincompliance.io/Disclaimers

Clients may contact us for more information on our cloud storage system capabilities. 


Compliance/Business Management Systems

About FIN Compliance 

FIN Compliance (FinCompliance.io) is a consortium of compliance services including: RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management software tool, FIN Ventures, providing business/startup strategies, and FINLancer, a business management portal featuring:  E-signature tools; Invoicing integration, Vendor Directory, continuity directory*, business client document portal, and more (available by Q4 2019).  

Access all services on one site: FINCompliance.io.

Review our brochure here


Our Products and Services

RIA Registration Services:  Adding new Jurisdictions
Compliance Consulting:  Ongoing review Assistance, policy & procedures, and filings.
Compliance Management System: for internal review process.
Business Management System: for Project/Task Delegation, Business/Firm Directory, E-contracts, workflows, and more 

Succession Planning/Transition and, Partner Matchmaking Services

We are pleased to announce a new deal flow service that includes transition planning, deal flow, and partnerships. We will have more information available as our offering develops.  Both older and new advisors alike can begin to prepare for changes in the industry.  It’s a good time to evaluate opportunities whether you are a young firm looking to buy a book of business or an older advisor looking to establish an exit for retirement.  For firms interested, we are offering a matchmaking service to connect older and new firms together for deal flow, succession planning, partnerships, and more.  



Business Directory 


Impact

FIN Missions (FINmissions.com) provides business support group sessions for other entrepreneurs.  In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.

21 comments:

Alia parker said...

It was all around exquisite to investigate an article made on this blog. I may in like way need to consolidate a couple of structures with the best of my insight which can help the peruser to a normally extending degree. cyber security services

brown smith said...

Today almost every industry is working in digital space to either market their products effectively or to communicate between their teams globally. Especially companies spread across the globe, working on several domains seek a crystal clear communication. Get  business texting app for that purpose.

Faiza Jee said...

You have outdone yourself this time. It is probably the best, most short step by step guide that I have ever seen. Integriti Access Control Melbourne

Jack son said...

On the off chance that this administrator essentially shows the cell set in line I and section j, the entrance in memory to that cell will be completed by moving from I * all out number of segments + j spaces in the memory. ExcelR Data Science Courses

Usama LaDLa said...

https://www.flowingcode.com/2017/10/implementing-spring-security-on-vaadin.html?showComment=1568278725712#c6502624274931993937

markson said...

As the problem solution, this platform provides scalability, security and rich data analysis for transforming real-time data streams into effective and functional customer insights for business development and success.Data Analytics Courses

dataanalytics said...

I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it.
data analytics course
business analytics course
data science courses

Best Data Science Courses In Bangalore said...

I really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post. Hats off to you! The information that you have provided is very helpful.
Best Data Science Courses In Bangalore

DataScience Specialist said...

You actually make it look so easy with your performance but I find this matter to be actually something which I think I would never comprehend. It seems too complicated and extremely broad for me. I'm looking forward for your next post, I’ll try to get the hang of it!
<a href="https://360digitmg.com/india/data-science-using-python-and-r-programming-bangalore
>Data Science</a> Course in Bangalore

DataScience Specialist said...

I have express a few of the articles on your website now, and I really like your style of blogging. I added it to my favorite’s blog site list and will be checking back soon…
Data ScienceTraining in Bangalore

EXCELR said...

"Thank you for sharing wonderful information with us.Really useful for everyone data scientist courses
"

Excelr Tuhin said...

I've read this post and if I could I desire to suggest you some interesting things or suggestions. Perhaps you could write next articles referring to this article. I want to read more things about it!
Data Science course

data scientist course said...

It is perfect time to make some plans for the future and it is time to be happy. I've read this post and if I could I desire to suggest you some interesting things or suggestions. Perhaps you could write next articles referring to this article. I want to read more things about it!
data scientist training and placement in hyderabad

Data Analytics Course said...

Very good message. I came across your blog and wanted to tell you that I really enjoyed reading your articles.

Data Analytics Course in Bangalore

traininginstitute said...

Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.
data science training

Professional Courses and Training said...

I'm always looking online for articles that can help me. I think you also made some good comments on the functions. Keep up the good work!


Business Analytics Course in Kolkata

Educational Training and Learning said...

Very informative message! There is so much information here that can help any business start a successful social media campaign!


Data Analytics Course in Gorakhpur

Unknown said...

Thanks for sharing such an informative blog
Digital Marketing Courses in Mumbai

data science said...

Our Data Science certification training with a unique curriculum and methodology helps you to get placed in top-notch companies.

data analytics course in lucknow

Swarnalatha said...

360DigiTMG provides exceptional training in the Data Science course with placements. Learn the strategies and techniques from the best industry experts and kick start your career.data analytics course in ranchi

deekshitha said...

Many programming languages are used in data science; the most critical are R and Python. These are open source and free languages, but you must be thinking about which one of these languages is easier to learn.data science course in varanasi

Post a Comment

Post Top Ad

Your Ad Spot

Pages