By Alan Jackson, CISSP
My two children occasionally fight with each other. I was reminded of this fact recently when my son antagonized my daughter so much, that she kicked him in the shin. I broke up the ensuing fight, sat my kids down, and talked to them. I began by asking my daughter, “Do we resort to violence in our family… even when provoked?” My daughter knew the proper response and said, “No dad.” I then turned to my son and asked him, “Do we intentionally bother others?” He also knew the right answer and said, “No dad.” Both of my children knew that they had done wrong and received gentle correction for their infraction. That incident got me thinking. Would I have been able to hold them accountable if they didn’t understand acceptable behavior? Probably not. That is why policies and procedures are so important for a firm. They define the parameters for acceptable behavior for firm employees. That is why we stated in “Your Cyber Doors and Windows” that a comprehensive set of cyber policies and procedures is a necessary component in an information security program.
When the SEC (2000) created Regulation S-P, they stated that firms must, “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” They also said that, “these written policies and procedures must be reasonably designed to insure the security and confidentiality of customer records.” The nebulous nature of this regulation made it difficult to implement. Given the lack of clear direction from the SEC, firms were left to determine what policies and procedures were appropriate on their own.
Then in 2013, a Midwest RIA experienced a data breach. The firm did everything in their power to contain the breach and to mitigate the potential harm, but the damage was already done. This breach sparked an investigation from the SEC that resulted in a fine of $75,000.00 for willfully violation of rule 30(a) of Regulation S-P. The SEC contended that this firm intentionally failed to adopt adequate policies and procedures. The SEC went on to say that it was necessary to enforce Regulation S-P, “even in cases like this when there is no apparent financial harm to clients.” This fine created a ripple throughout the investment advisor industry and forced firms to evaluate the adequacy of their policies and procedures (Source).
So what does adequate look like? Thankfully, there is an objective third party standard that you can look to in order to determine if your cyber policies and procedures are sufficient. This standard was put out by the National Institute of Standards and Technology (NIST), an agency of the US Federal Government, and it has become the de-facto standard for cyber security for the financial services industry. NIST lists 17 different categories (they call “Families”) of cyber security controls. These Families are listed below. I will be addressing these categories one by one in subsequent articles. Stay tuned to see how to build your cyber policy and procedures.
NIST Cyber Families:
- Access Control
- Awareness and Training
- Audit and Accountability
- Security Assessment
- Configuration Management
- Contingency Planning
- Identification and Authorization
- Incident Response
- Media Protection
- Physical and Environmental Protection
- Security Design
- Personnel Security
- Risk Assessment
- System Acquisition
- System and Communication Protection
- System and Information Integrity
Securities and Exchange Commission (2000). 17 CFR Part 248 – Regulation S-P: Privacy of Consumer Financial Information. Release Nos. 34-42974, IC-24543, IA-1883; File No. S7-6-00.