Breaking

Post Top Ad

Your Ad Spot

Thursday, May 30, 2019

SEC Risk Alert - Data Security and Use of Third Party Vendors

David McNeal, Consultant and Contributor of My Compliance Blog
Cory Roberson, Principal of FIN Compliance and FIN Lancer

May 30, 2019. The SEC Office of Compliance Inspections and Examinations (“OCIE”) published a security risk alert based on their findings of broker-dealer and investment adviser firms storing electronic customer records and information using various types of storage, including third-party vendor solutions.

Data Protection – (Rule: S-P. 17 C.F.R. 248.30(a)) requires every SEC-registered broker-dealer and investment adviser to adopt written policies or procedures addressing administrative, technical and physical safeguards in place to protect customer records and information.

During examinations, OCIE staff reported the following concerns that may raise compliance issues under Regulations S-P and S-ID:

Misconfigured network storage solutions.
In some cases, companies have not properly configured their network-storage solution's security settings to protect against unauthorized access. Moreover, some companies did not have policies or procedures to address their network storage solutions ' security configuration. Furthermore, incorrect configuration resulted from inefficient monitoring of existing storage solutions.

Inadequate oversight of vendor-provided network storage solutions.
In other cases, companies have not made sure that the safety settings for networking solutions provided by the vendor are configured according to the company's standards of policies, procedures, contractual provisions or otherwise.

Insufficient data classification policies and procedures.
Lastly, the OCIE reports that policies and procedures of some companies have not identified the different data types electronically stored by the firm and the appropriate checks for each data type.

For instance, the popular CRM vendor Redtail experienced a data breach due to “inadvertently stored investors' personal information on a debug log file.”  Cybersecurity experts think that this vendor is not alone in its risks associated with accessing data in debug mode.


Effective Practices

The risk alert recommends firms to implement a configuration management program that includes data classification, vendor supervision and security policy and procedures to mitigate risks associated with the use of on-site or cloud network storage solutions.

The OCIE suggests the following examples are features of effective configuration management programs, data classification procedures, and vendor management programs, including:

Policies and procedures designed to support installation of the network storage solutions, ongoing maintenance and regular review.

Security check guidelines and baseline configuration standards to ensure proper protection levels for each network solution.

The vendor management policies and procedures should include, among other things, regular software patch and hardware updates and reviews to ensure that such patches and updates have not changed, weakened or otherwise modified safety settings unintentionally.

The OCIE highlighted risks related to broker-dealers and investment advisors using the cloud and other types of network storage solutions for securing electronic records and information.

The risk alert can be found at:

Cloud Directory Users: Our cloud data security on FIN Compliance

Our RIA Cloud Storage is powered by Google Cloud Platform, a third-party cloud computing service by Google that offers hosting on the same supporting infrastructure that Google uses internally for end-user products like Google Search and YouTube. Cloud Platform provides developer products to build a range of programs from simple websites to complex applications. FIN Compliance is not affiliated with Google nor any of its affiliates.

Google maintains the following security certifications:

SOC1™ (SSAE-16/ISAE-3402) - G Suite, Google Compute Engine, Google Cloud Storage, Google App Engine
SOC2™- G Suite, Google Compute Engine, Google Cloud Storage, Google App Engine
SOC3™- G Suite, Google Compute Engine, Google Cloud Storage, Google App Engine
ISO27001 - for G Suite and Google Cloud Platform
ISO27017 - for G Suite and Google Cloud Platform
ISO27018 - for G Suite and Google Cloud Platform
HIPAA - G Suite, Google Compute Engine, Google Cloud Storage, Google Big Query, Google Cloud SQL
HIPAA - Google App Engine, G Suite
FEDRAMP - Google App Engine, G Suite

Second factor authentication
Users can add another layer of security through the use of password Security Questions

In addition, we recommend firms to implement a policy for password storage, updating passwords, employee recordkeeping, access privileges, and other data safeguarding in their compliance/operations manuals.  We encourage the use of encrypting any document files that contains customer personal identification information.

Security enhancements/updates
Based on these alerts, we will be creating our configuration management program to include data classification, vendor supervision and security procedures to mitigate risks associated with our on-site or cloud network storage solution. 

An overview of these policies will be updated on our Disclaimers/Security page found here: https://fincompliance.io/Disclaimers

Clients may contact us for more information on our cloud storage system capabilities. 


Compliance/Business Management Systems

About FIN Compliance 

FIN Compliance (FinCompliance.io) is a consortium of compliance services including: RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management software tool, FIN Ventures, providing business/startup strategies, and FINLancer, a business management portal featuring:  E-signature tools; Invoicing integration, Vendor Directory, continuity directory*, business client document portal, and more (available by Q4 2019).  

Access all services on one site: FINCompliance.io.

Review our brochure here


Our Products and Services

RIA Registration Services:  Adding new Jurisdictions
Compliance Consulting:  Ongoing review Assistance, policy & procedures, and filings.
Compliance Management System: for internal review process.
Business Management System: for Project/Task Delegation, Business/Firm Directory, E-contracts, workflows, and more 

Succession Planning/Transition and, Partner Matchmaking Services

We are pleased to announce a new deal flow service that includes transition planning, deal flow, and partnerships. We will have more information available as our offering develops.  Both older and new advisors alike can begin to prepare for changes in the industry.  It’s a good time to evaluate opportunities whether you are a young firm looking to buy a book of business or an older advisor looking to establish an exit for retirement.  For firms interested, we are offering a matchmaking service to connect older and new firms together for deal flow, succession planning, partnerships, and more.  



Business Directory 


Impact

FIN Missions (FINmissions.com) provides business support group sessions for other entrepreneurs.  In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.

6 comments:

  1. It was all around exquisite to investigate an article made on this blog. I may in like way need to consolidate a couple of structures with the best of my insight which can help the peruser to a normally extending degree. cyber security services

    ReplyDelete
  2. Today almost every industry is working in digital space to either market their products effectively or to communicate between their teams globally. Especially companies spread across the globe, working on several domains seek a crystal clear communication. Get  business texting app for that purpose.

    ReplyDelete
  3. You have outdone yourself this time. It is probably the best, most short step by step guide that I have ever seen. Integriti Access Control Melbourne

    ReplyDelete
  4. On the off chance that this administrator essentially shows the cell set in line I and section j, the entrance in memory to that cell will be completed by moving from I * all out number of segments + j spaces in the memory. ExcelR Data Science Courses

    ReplyDelete
  5. https://www.flowingcode.com/2017/10/implementing-spring-security-on-vaadin.html?showComment=1568278725712#c6502624274931993937

    ReplyDelete

Compliance Calendar

W.I.N Collective Partners

Post Top Ad

Your Ad Spot

Pages