Regulatory focus on cybersecurity is intensifying.
|
|
- Alison Allen
- 8 years ago
- Views:
Transcription
1 The Investment Lawyer Covering Legal and Regulatory Issues of Asset Management VOL. 21, NO. 8 AUGUST 2014 Developments in Cybersecurity Law Governing the Investment Industry By Luke T. Cadigan and Sean P. Mahoney Regulatory focus on cybersecurity is intensifying. Unlike other compliance matters, the deterrent effect of enforcement actions following data security breaches may be insufficient to achieve regulators purpose of ensuring that technology platforms are secure before an event occurs. Thus, in the area of cybersecurity, regulators appear to be shunning granular, prescriptive rules and instead insisting upon more holistic management of cybersecurity risk. While regulations and guidance imposing cybersecurity requirements can be difficult to decipher, there are a number of sources that one can look to in order to discern regulatory expectations. By way of current law, brokers, dealers, investment companies and investment advisers (SEC-regulated Entities) can look to Securities and Exchange Commission (the SEC) Regulation S-P, 1 promulgated pursuant to Title V of the Gramm-Leach-Bliley Act, enforcement actions taken under that rule, and state laws governing information security generally. More current guidance was discussed at a roundtable on cybersecurity hosted by the SEC and an alert with a sample request for information, providing more detail on expectations, was released by the SEC Office of Compliance Inspections and Examinations (OCIE). In addition to OCIE guidance, the National Institute of Standards and Technology (NIST) issued its cybersecurity framework, which appears to have been accepted by the SEC. Existing Laws and Regulations Governing Cyber-Security Prescriptive rules and regulations governing data security practices of SEC-regulated Entities are generally limited to discrete requirements designed to protect specific classes of information. Regulation S-P, for example, requires SEC-regulated Entities to adopt written policies and procedures with administrative, technical and physical safeguards to protect customer records and information. Unlike similar regulations promulgated by bank regulators, Regulation S-P does not contain detailed information security requirements. In 2008, the SEC had proposed a significant expansion of Regulation S-P to provide more detailed requirements with respect to the information security policies and procedures of SEC-regulated Entities. 2 The SEC s proposed rule would have closely tracked the Interagency Guidelines Establishing Standards for Safeguarding Customer Information adopted by federal bank regulators. 3 The proposed regulations would have explicitly imposed a number of requirements that may otherwise be viewed as best practices, including: Designating employees to implement the information security program; Identifying risks to data security;
2 2 THE INVESTMENT LAWYER Designing safeguards to protect against identified risks; Testing or monitoring effectiveness of key controls, systems and procedures; Training staff; and Overseeing service providers by ensuring that they are capable of protecting data and requiring them to maintain appropriate safeguards. 4 The proposed rules also would have imposed requirements for responding to data security breaches and providing notice to affected persons, a key concern at the time the rules were proposed. 5 Regulation S-P further requires that SECregulated Entities dispose of consumer report information and protect against its unauthorized access or use in connection with its disposal. 6 Consumer report information is a consumer report or information derived from a consumer report. Consumer report, in turn, is defined somewhat circularly as any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer s eligibility for [consumer credit, employment or other permissible purposes]. 7 In addition, the SEC promulgated Regulation S-ID pursuant to the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). 8 Regulation S-ID requires SEC-regulated Entities that are financial institutions or creditors (that is, persons that regularly extend credit) 9 and that offer or maintain covered accounts to develop and implement written identity theft prevention programs designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. 10 For purposes of Regulation S-ID, a financial institution is an entity that maintains accounts with respect to which the account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items. 11 Covered accounts are consumer accounts incident to continuing relationships that allow for multiple transactions or withdrawals or other accounts that present the risk of identity theft. 12 There are also state data security laws that may be broadly applicable to information security programs. Massachusetts adopted one of the more detailed information security and data security breach laws that applies to any person that holds protected personal information pertaining to Massachusetts residents. 13 The Massachusetts law protects information, however, only to the extent that it consists of a name and an identifying number, such as a social security number, drivers license number or account number. Regulations adopted under the Massachusetts statute require persons holding such protected information, which may include SEC-regulated Entities, to: Designate one or more employees to maintain the comprehensive information security program; Identify and assess reasonably foreseeable internal and external risks to information security and assessing the effectiveness of the current safeguards; Educate and train employees on the proper use of the computer security system and the importance of information security; Develop security policies for employees relating to the storage, access and transportation of protected information; Impose disciplinary measures for violations of the comprehensive information security program rules; Prevent terminated employees from accessing records containing personal information; Manage vendors by, among other things, ascertaining each vendor s ability to keep protected information secure and requiring that vendors maintain comprehensive information security programs;
3 VOL. 21, NO. 8 AUGUST Impose reasonable restrictions upon access to protected information; Review the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information; Document responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken; Employ secure user authentication protocols; Encrypt all transmission of protected information and all personal information stored on laptops or other portable devices; Monitor for unauthorized use of or access to personal information; and Employ reasonably up-to-date firewall protection and operating system security patches. 14 While the SEC has yet to impose such detailed requirements, OCIE has taken the position that Rule 15c3-5 promulgated under the Securities Exchange Act of requires broker-dealers with market access to an exchange or alternative trading system or that provide customers or other persons with such access to maintain policies and procedures to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. 16 OCIE appears to reason that Rule 15c3-5 s requirement that a broker-dealer restrict access to trading systems and technology that provide market access to persons and accounts preapproved and authorized by the broker or dealer imposes a general cybersecurity requirement. 17 With respect to the business continuity aspect of cybersecurity, the Financial Industry Regulatory Authority, Inc. (FINRA) has adopted a rule on the topic, 18 which was approved by the SEC in August of 2009 and became effective January 1, FINRA Rule 4370 succinctly requires FINRA members to adopt a business continuity plan, designate members of senior management responsible for its implementation and disclose to their customers how the business continuity plan addresses possible future significant business disruption. Similarly, registered investment advisers are required to have compliance policies and procedures that address business continuity plans under Rule 206(4)-7 under the Investment Advisers Act of And, registered investment companies are required under Rule 38a-1 under the Investment Company Act of 1940 to have compliance policies and procedures that provide for oversight of compliance by certain fund service providers, which would include the service providers business continuity plans. 20 Cybersecurity events such as distributed denial of service attacks (or DDoS attacks) would be the type of significant business disruption to be addressed by a business continuity plan under any of these rules. 21 SEC Data Security Enforcement Actions Notwithstanding the lack of detailed information security rules, the SEC has taken a number of enforcement actions under Regulation S-P with respect to data security practices. These actions typically involved what the SEC had perceived as egregious violations of the regulation, such as not having cybersecurity protocols that the SEC views as fundamental, having vague policies that merely restate the rule, or having no policies at all. The actions typically involve firms operating branch networks, where the firm lacks sufficient control over branch offices. For example, in 2008, the SEC issued a cease and desist order in response to an offer of settlement against a firm registered as a broker-dealer and investment adviser that the SEC alleged had insufficient cybersecurity, leaving the firm vulnerable to hacking attacks. 22 The alleged violations were discovered following a hacking event in which hackers were able to access customer accounts and execute trades. In particular, the SEC found the following asserted cybersecurity failures of Regulation S-P: (1) failure to require registered representatives to
4 4 THE INVESTMENT LAWYER maintain strong passwords (that is, passwords requiring a certain length or alphanumeric/special character combinations); (2) failure to require registered representatives to reset passwords periodically; (3) failure to allow registered representatives to change their own passwords; and (4) not having an automatic lockout feature after repeated, unsuccessful log-in attempts. The SEC further criticized the firm for allegedly allowing more than 300 information technology staff to access the log-in credentials for registered representatives. The SEC acknowledged that the firm had established a committee to consider cybersecurity improvements prior to the hacking incident, but it noted that the work of the committee was not scheduled to begin until a date after the hacking incidents occurred. A little over a year later, the SEC issued a cease and desist order in response to an offer of settlement against another firm registered as a broker-dealer and investment adviser that the SEC alleged had insufficient cybersecurity. 23 Like the 2008 action, this action arose out of a hacking incident in which hackers allegedly accessed account information and used such information to execute trades. The particular shortcomings in cybersecurity involved the firm s alleged failure to require branch offices to install antivirus software and knowledge through the firm s information technology help desk that certain branches did not have antivirus software. In this case, the alleged hacking occurred through the use of a computer virus. Another enforcement action in 2009 involved a registered broker-dealer s failure to maintain adequate policies and procedures and failure to train branch office personnel. 24 SEC Staff described the firm s policies and procedures as simply restating the objectives of the information security provisions of Regulation S-P and not addressing any administrative, technical or physical safeguards associated with customer records or information, including how to dispose properly of such records when they were no longer needed. This action did not involve any information systems that were hacked, rather the SEC alleged that records containing customer information were abandoned on the side of a road by a former registered representative and left there for approximately two weeks. This action stresses the SEC s view of the importance of data disposal procedures under Regulation S-P. More recently, in a series of enforcement actions taken in 2011 in connection with the winding down of a registered broker-dealer, the SEC imposed civil money penalties against executives and other employees for, among other things, allegedly taking no action to prevent or respond to security breaches involving theft of laptops and access to firm by former employees. 25 The SEC also asserted that the respondents violated Regulation S-P by transferring customer records of the firm winding down without customer consent, highlighting the obligations of officers and employees to safeguard data as part of a firm s cybersecurity responsibilities. In this case, a chief compliance officer was assessed civil money penalties for the alleged cybersecurity-related violations. While these enforcement actions indicate the SEC s willingness to use existing regulations to ensure security of sensitive information, they all share one common element: each action was commenced after an alleged incident of unauthorized access to customer information. These actions also have little to do with potential risks associated with access to information systems of SEC-regulated Entities where such access involves sensitive information that is not protected by Regulation S-P. It should be no surprise that recent statements and releases from the SEC indicate that the SEC is looking to take a more proactive approach to cybersecurity. Guidance Addressing Cybersecurity While the increasing focus on cybersecurity is unmistakable, the SEC has been following this issue for some time. Over the past few years, OCIE has repeatedly indicated that risk management is one of its examination priorities. 26 Further, with respect to technology, OCIE has indicated that it will examine
5 VOL. 21, NO. 8 AUGUST governance and supervision of information technology systems, operational capability, market access, information security, and preparedness to respond to sudden malfunctions and system outages. 27 In so many words, cybersecurity has been on the minds of OCIE Staff, with a specific reference to the term in On March 26, 2014, the SEC held a roundtable at which SEC Commissioners and external panelists were invited to discuss cybersecurity issues. 29 Dialogue among the panelists focused on measures that could be taken to ensure firms are dedicating resources to risk management and good internal controls. Potential next steps included sharing of information and best practices; principles-based guidance; preparation of incident response playbooks; tailoring requirements so they can be adapted to firms of varying profiles (including small firms); and encouraging further planning, testing and communication. SEC Staff stressed the need for disaster recovery planning and the ability to recover from any outages, including those caused by cybersecurity breaches such as DDoS attacks. One unexpected consensus among panelists in the discussion was that they invited additional regulations or other cybersecurity guidance that would help SEC-regulated Entities focus on particular cybersecurity risks and techniques to mitigate them. One panelist suggested that the SEC s proposed amendments to Regulation S-P could be viewed as guidance to help SEC-regulated Entities establish comprehensive information security programs. Most of the panelists seemed to agree that that the Framework for Improving Critical Infrastructure Cybersecurity, released February 12, 2014 by the NIST 30 is a source of sound guidance for SEC-regulated Entities in designing cybersecurity programs. Less than one month after the SEC roundtable, OCIE followed up with a risk alert indicating that 50 broker-dealers and registered investment advisers would be examined with an eye towards cybersecurity policies and procedures. 31 The OCIE risk alert included a sample information request that provides a glimpse into the types of policies, procedures and protocols that OCIE views as part of a cybersecurity program. This risk alert provides the most comprehensive SEC guidance on cybersecurity to date. Implicit in the OCIE sample information request is that SEC-regulated Entities should incorporate or use as a model the NIST framework or other published cybersecurity risk management process standards. The OCIE focus on the NIST framework can be viewed as a shift from crafting specific rules on cybersecurity to conveying expectations as to risk management activities around cybersecurity. The NIST framework is, after all, essentially a risk management framework tailored to cybersecurity activities. The framework consists of three main areas: core activities, implementation tiers and a framework profile. The NIST framework establishes that the crux of expected cybersecurity activities would include identification (or risk assessments), protection activities (or risk mitigation), detection activities (or monitoring), response activities and recovery activities. Each area is further divided into subgroups, which makes the framework inherently scalable by allowing an organization to implement only those areas that are relevant to it. Through the use of implementation tiers and framework profiles, an organization may use the framework to assess the organization s current profile and create a target profile and plan for transitioning from the current state to the desired state. Consistent with the NIST framework, the OCIE sample information request is organized around assessment activities, including: (1) assessment of technology assets and risks, (2) cybersecurity protection activities, (3) specific risks associated with customer access, (4) specific risks associated with vendors and third parties, and (5) detection of unauthorized activity. With respect to assessment activities, OCIE appears to expect that firms are inventorying physical devices, systems, software platforms and applications. Such inventories should prioritize resources for protection. It also suggests that firms should
6 6 THE INVESTMENT LAWYER catalogue connections and data flows, including connections from external sources. It is expected that firms are already conducting periodic assessments of both cybersecurity and physical security, with documented findings. Firms should also be aware of any insurance coverage maintained for cybersecurity events, including the limitations of such coverage. The information request reminds us that SECregulated Entities should have written information security programs that conform to Regulation S-P, as well as Regulation S-ID (Identity Theft Red Flags Rules), if applicable, and that specifically address removable and portable media. The information request suggests that such programs should incorporate documentation of responsibilities for employees and managers with respect to cybersecurity, and that training for both employees and vendors with access to the firm s network should be documented. Note that for many SEC-regulated Entities these specific aspects of a written information security program may already be required under applicable state laws governing information security. As for protection activities, the OCIE sample information request solicits information pertaining to the following specific data security protection activities: providing written guidance and periodic training to employees concerning information security risks and responsibilities; maintaining controls to prevent unauthorized escalation of user privileges and lateral movement among network resources; restricting users access to those network resources only as necessary for their business functions; maintaining a segregated environment for testing and development of software and applications; preventing users from altering the baseline configuration of hardware and software without authorization; managing IT assets and performing regular system maintenance; maintaining controls to secure removable and portable media against malware and data leakage; maintaining protection against DDoS attacks for critical internet-facing IP addresses; maintaining a written data destruction policy; maintaining a written cybersecurity incident response policy; periodically testing the functionality of the firm s backup system; use of encryption; conducting periodic audits of compliance with the firm s information security policies. With respect to risks associated with customer transactions, many of the items in the OCIE sample information request relate to authentication procedures used when employees and customers access a SEC-regulated Entity s network. This, perhaps, portends some guidance or standards around authentication, similar to the FFIEC 2005 guidance entitled, Authentication in an Internet Banking Environment 32 and the supplement thereto issued in The OCIE sample information request also contains a number of information requests relative to hacking activity or attempted intrusions into a firm s network. Implicit in this request is that a firm is monitoring such activity and maintaining appropriate logs. In other words, there is an expectation that each firm is subjected to hacking attempts, but the awareness of such attacks and the responses thereto are what are critical. The Road Ahead With Regulation S-P as a starting point and the OCIE guidance and NIST framework being potential proxies for current SEC thinking, it appears the SEC may be moving toward a principles-based, risk management regime for cybersecurity. Accordingly, cybersecurity activities can no longer be viewed as issues confronting only compliance or information technology departments. Cybersecurity is increasingly viewed as an enterprise-wide concern that
7 VOL. 21, NO. 8 AUGUST needs to start at the board of directors of a firm and permeate throughout the organization. Future examination and enforcement actions may not be limited to discrete violations of Regulation S-P, but may take into account assessments of risk management activities addressing cybersecurity. In implementing cybersecurity plans, firms need to be careful to avoid silos. Given that cybersecurity will involve both the use of secure technology and training and compliance by natural persons, collaboration between information technology professionals and human resources professionals will be crucial. Moreover, input from operations professionals is also critical to ensure that any secure technologies adopted will be used and to avoid the development of shadow IT by operations professionals developing workarounds to firm technologies without organizational approval. The emergence of shadow IT may itself be a discrete risk that firms will be expected to assess at some point in the future. In any event, the guidance from regulators in this area is evolving rapidly to respond to the fast- changing nature of cybersecurity threats. The challenge for regulators is to devise a framework that allows firms to adapt their risk management programs rapidly without running afoul of discrete requirements. Messrs. Cadigan and Mahoney are partners in the Boston, MA office of K&L Gates LLP. NOTES 1 17 C.F.R (a) Fed. Reg (March 13, 2008) Fed. Reg (February 1, 2001) Fed. Reg. at Fed. Reg. at C.F.R (b) U.S.C. 1681a(d) U.S.C. 1681m(e); 17 Code Fed. Regs U.S.C. 1691a(d) C.F.R (d) C.F.R (a), 15 U.S.C. 1681a(t), 12 U.S.C. 461(b) C.F.R (b)(1), (3). 13 Mass. Gen. Laws. ch. 93H, 93I. 201 Code Mass. Regs et seq Code Mass. Regs , Code Fed. Regs c OCIE National Exam Program Risk Alert (September 29, 2011), available at: gov/about/offi ces/ocie/riskalert-mastersubaccounts.pdf. 17 See 17 Code Fed. Regs c3-5(c)(iii). 18 FINRA Rule FR (August 28, 2009) Fed. Reg , (enumerating policies and procedures required, including safeguards for the protection of customer information and business continuity plans) (December 24, 2003). In imposing these requirements, the SEC Staff implied that business continuity requirements arise out of an investment adviser s fiduciary duties, noting: We believe that an adviser s fiduciary obligation to its clients includes the obligation to take steps to protect the clients interests from being placed at risk as a result of the adviser s inability to provide advisory services after, for example, a natural disaster or, in the case of some smaller firms, the death of the owner or key personnel. The clients of an adviser that is engaged in the active management of their assets would ordinarily be placed at risk if the adviser ceased operations. 21 The Federal Financial Institutions Examination Council (FFIEC), which consists of the federal bank regulators, adopted guidance highlighting that information security and business continuity plans should recognize DDoS attacks as a risk and be designed to address such risks. See Joint Statement, Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, available at: ec.gov/press/pdf/ffiec%20ddos%20 Joint%20Statement.pdf.
8 8 THE INVESTMENT LAWYER 22 In the Matter of LPL Financial Corporation Administrative Proceeding No (September 11, 2008). 23 In the Matter of Commonwealth Equity Services, LLP Administrative Proceeding No (September 29, 2009). 24 In the Matter of J.P. Turner & Company, LLC Administrative Proceeding No (July 17, 2009). 25 See In the Matter of Frederick O. Kraus, SEC Administrative Proceeding , (April 7, 2011), In the Matter of David C. Levine SEC Adminis trative Proceeding , (April 7, 2011), In the Matter of Marc A. Ellis, SEC Administrative Proceeding , (April 7, 2011). 26 OCIE Examination Priorities for 2013 (January 9, 2014), available at: ces/ ocie/national-examination-program-priorities pdf, OCIE Examination Priorities for 2013 (February 21, 2013), available at: gov/about/offi ces/ocie/national-examination-programpriorities-2013.pdf, Examinations by the Securities and Exchange Commission s Office of Compliance Inspections and Examinations (February 2012), available here: ces/ocie/ ocieoverview.pdf. 27 OCIE Examination Priorities for 2013 (January 9, 2014), available at: ocie/national-examination-program-priorities-2014.pdf. 28 Examinations by the Securities and Exchange Commission s Office of Compliance Inspections and Examinations at 33 (February 2012). 29 A transcript is available at: light/cybersecurity-roundtable/cybersecurity-round table-transcript.txt. 30 Available at: upload/cybersecurity-framework final.pdf. 31 OCIE National Exam Program Risk Alert (April 15, 2014), available at: ment/cybersecurity+risk+alert++%2526+appen dix pdf. 32 Available at: ec.gov/pdf/authentication_ guidance.pdf. 33 Available at: ec.gov/pdf/auth-its- Final% %20(FFIEC%20Formated).pdf. Copyright 2014 CCH Incorporated. All Rights Reserved Reprinted from The Investment Lawyer August 2014, Volume 21, Number 8, pages 9 16, with permission from Aspen Publishers, Wolters Kluwer Law & Business, New York, NY, ,
Cybercrime and Regulatory Priorities for Cybersecurity
NRS Technology and Communication Compliance Forum Cybercrime and Regulatory Priorities for Cybersecurity Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP
More informationCybersecurity Issues for Community Banks
Eastern Massachusetts Compliance Network Cybersecurity Issues for Community Banks Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L Gates LLP State Street
More informationSmall Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.
Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)
More informationSEC Cybersecurity Findings May Establish De Facto Standard
Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com SEC Cybersecurity Findings May Establish De Facto
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationHIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
More informationWellesley College Written Information Security Program
Wellesley College Written Information Security Program Introduction and Purpose Wellesley College developed this Written Information Security Program (the Program ) to protect Personal Information, as
More informationCYBERSECURITY EXAMINATION SWEEP SUMMARY
This Risk Alert provides summary observations from OCIE s examinations of registered broker-dealers and investment advisers, conducted under the Cybersecurity Examination Initiative, announced April 15,
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationDFLIVERY VIA SECURE EMAIL
UNITED STATES SECURITIES AND EXCHANGE COMMISSION PHILADELPHIA REGIONAL OFFICE One Penn Center 1617 JFK Boulevard, Suite 520 Philadelphia, Pennsylvania 19103 June 10,2014 DFLIVERY VIA SECURE EMAIL. Chief
More informationClient Update SEC Releases Updated Cybersecurity Examination Guidelines
Client Update September 18, 2015 1 Client Update SEC Releases Updated Cybersecurity Examination Guidelines NEW YORK Jeremy Feigelson jfeigelson@debevoise.com Jim Pastore jjpastore@debevoise.com David Sarratt
More informationSAMPLE TEMPLATE. Massachusetts Written Information Security Plan
SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 jmadeja@buchananassociates.com Each business is required by Massachusetts law
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationClient Advisory October 2009. Data Security Law MGL Chapter 93H and 201 CMR 17.00
Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,
More informationretained in a form that accurately reflects the information in the contract or other record,
AL 2004 9 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Electronic Record Keeping TO: Chief Executive Officers of All National Banks, Federal Branches and Agencies,
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationTEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
More informationThe Problems With SEC s Cybersecurity Approach
Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com The Problems With SEC s Cybersecurity Approach Law360,
More informationCybersecurity Risks, Regulation, Remorse, and Ruin
Financial Planning Association of Michigan 2014 Fall Symposium Cybersecurity Risks, Regulation, Remorse, and Ruin Shane B. Hansen shansen@wnj.com (616) 752-2145 October 23, 2014 Copyright 2014 Warner Norcross
More informationNavigating the New MA Data Security Regulations
Navigating the New MA Data Security Regulations Robert A. Fisher, Esq. 2009 Foley Hoag LLP. All Rights Reserved. Presentation Title Data Security Law Chapter 93H Enacted after the TJX data breach became
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationCybersecurity..Is your PE Firm Ready? October 30, 2014
Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationState Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4
State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationHEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY
More informationPROPOSED INTERPRETIVE NOTICE
August 28, 2015 Via Federal Express Mr. Christopher J. Kirkpatrick Secretary Office of the Secretariat Commodity Futures Trading Commission Three Lafayette Centre 1155 21st Street, N.W. Washington, DC
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationProtecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)
Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00) May 15, 2009 LLP US Information Security Framework Historically industry-specific HIPAA Fair Credit Reporting
More informationUNITED STATES OF AMERICA Before the SECURITIES AND EXCHANGE COMMISSION
UNITED STATES OF AMERICA Before the SECURITIES AND EXCHANGE COMMISSION SECURITIES EXCHANGE ACT OF 1934 Release No. 60733 / September 29, 2009 INVESTMENT ADVISERS ACT OF 1940 Release No. 2929 / September
More informationCybersecurity and internal audit. August 15, 2014
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationUNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
More informationRANDOLPH COUNTY PUBLIC WORKS. Identity Theft Prevention Program. Adopted September 1, 2009 Effective beginning September 1, 2009
RANDOLPH COUNTY PUBLIC WORKS Identity Theft Prevention Program Adopted September 1, 2009 Effective beginning September 1, 2009 I. PROGRAM ADOPTION The Randolph County Public Works Department ( the Department
More informationWHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS
WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS Introduction Massachusetts regulations set forth minimum requirements for both the protection of personal information and the electronic storage or
More informationInstructions for Completing the Information Technology Officer s Questionnaire
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
More informationDEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY
DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed
More informationAUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM
GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationCalifornia State University, Sacramento INFORMATION SECURITY PROGRAM
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
More informationHow To Protect Your Cybersecurity From Cyber Incidents
SEC ENFORCEMENT The SEC s Two Primary Theories in Cybersecurity Enforcement Actions By Daniel F. Schubert, Jonathan G. Cedarbaum and Leah Schloss WilmerHale Cyber attacks are increasingly common and affect
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationPage 1. Copyright 2009. MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.
Page 1 Page 2 Page 3 Agenda Defining the Massachusetts Personal Data Security Law Becoming Compliant Page 4 Massachusetts Privacy Law Defining the Massachusetts Personal Data Security Law - 201 CMR 17.00
More informationIdentity theft continues to make headlines as evidenced by the
Investment Advisers Must Ramp Up Identity Theft Prevention Efforts By Bibb L. Strench Bibb L. Strench is Counsel at Seward & Kissel s Washington, D.C. office. He provides advice to registered investment
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationFortinet Solutions for Compliance Requirements
s for Compliance Requirements Sarbanes Oxley (SOX / SARBOX) Section / Reference Technical Control Requirement SOX references ISO 17799 for Firewall FortiGate implementation specifics IDS / IPS Centralized
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationIDENTITY THEFT: DATA SECURITY FOR EMPLOYERS. Boston, MA 02110 Richmond, Virginia 23219 Tel. (617) 502.8238 Tel. (804) 783.7579
IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS Daniel J. Blake, Esq. Vijay K. Mago, Esq. LeClairRyan, A Professional Corporation LeClairRyan, A Professional Corporation One International Place, Eleventh Floor
More informationDelaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP
Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats
More informationFeatured Article Federal Red Flag and Related Identity Theft Prevention Rules: Is Your Organization in Compliance?
Featured Article Federal Red Flag and Related Identity Theft Prevention Rules: Is Your Organization in Compliance? Article contributed by: Nancy L. Perkins, Arnold & Porter LLP As of November 1, 2008,
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationRANDOLPH COUNTY EMERGENCY SERVICES & TAX DEPARTMENT. Identity Theft Prevention Program. Adopted August 3, 2009 Effective beginning August 1, 2009
RANDOLPH COUNTY EMERGENCY SERVICES & TAX DEPARTMENT Identity Theft Prevention Program Adopted August 3, 2009 Effective beginning August 1, 2009 I. PROGRAM ADOPTION The Randolph County Emergency Services
More informationAppendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises
Appendix Key Areas of Concern i. Inadequate coverage of cybersecurity risk assessment exercises The scope coverage of cybersecurity risk assessment exercises, such as cybersecurity control gap analysis
More informationSEC update: Cybersecurity initiatives. SEC update: Cybersecurity initiatives. Intelligize // 02
Intelligize // 02 As is tradition, at the beginning of the year, the U.S. Securities and Exchange Commission outlined both its current state of affairs and annual goals for maintaining proper compliance
More informationHIPAA Compliance and the Protection of Patient Health Information
HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance
More informationOCIE Technology Controls Program
OCIE Technology Controls Program Cybersecurity Update Chris Hetner Cybersecurity Lead, OCIE/TCP 212-336-5546 Introduction (Role, Disclaimer, Background and Speech Topics) SEC Cybersecurity Program Overview
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationNOTES. Cyber Security
S Cyber Security Cyber incidents can result from deliberate attacks or unintentional events. Cyber attacks include gaining unauthorized access to digital systems for purposes of misappropriating assets
More informationMassachusetts Identity Theft/ Data Security Regulations
Massachusetts Identity Theft/ Data Security Regulations Effective March 1, 2010 Are You Ready? SPECIAL REPORT All We Do Is Work. Workplace Law. In four time zones and 45 major locations coast to coast.
More informationData Privacy and Gramm- Leach-Bliley Act Section 501(b)
Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement
More informationCHAPTER 2016-138. Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033
CHAPTER 2016-138 Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033 An act relating to information technology security; amending s. 20.61, F.S.; revising the
More informationBelmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.
Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.
More informationSAS 70 Exams Of EBT Controls And Processors
Appendix VIII SAS 70 Examinations of EBT Service Organizations Background States must obtain an examination by an independent auditor of the State electronic benefits transfer (EBT) service providers (service
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationHealth Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
More informationCITY OF ANDREWS IDENTITY THEFT PREVENTION PROGRAM
CITY OF ANDREWS IDENTITY THEFT PREVENTION PROGRAM Approved: February 26, 2010 Reviewed: March 18, 2015 I. PROGRAM ADOPTION The City of Andrews ( Utility ) developed this Identity Theft Prevention ( Program
More informationDATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT
Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationEnterprise PrivaProtector 9.0
IRONSHORE INSURANCE COMPANIES 75 Federal St Boston, MA 02110 Toll Free: (877) IRON411 Enterprise PrivaProtector 9.0 Network Security and Privacy Insurance Application THE APPLICANT IS APPLYING FOR A CLAIMS
More informationUNITED STATES OF AMERICA Before the SECURITIES AND EXCHANGE COMMISSION
UNITED STATES OF AMERICA Before the SECURITIES AND EXCHANGE COMMISSION INVESTMENT ADVISERS ACT OF 1940 Release No. 4204 / September 22, 2015 ADMINISTRATIVE PROCEEDING File No. 3-16827 In the Matter of
More informationStandard: Information Security Incident Management
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
More informationRANDOLPH COUNTY HEALTH DEPARTMENT. Identity Theft Prevention Program. Adopted August 3, 2009 Effective beginning August 1, 2009
RANDOLPH COUNTY HEALTH DEPARTMENT Identity Theft Prevention Program Adopted August 3, 2009 Effective beginning August 1, 2009 I. PROGRAM ADOPTION The Randolph County Health Department ( the Department
More informationAutomation Suite for. 201 CMR 17.00 Compliance
WHITEPAPER Automation Suite for Assurance with LogRhythm The Massachusetts General Law Chapter 93H regulation 201 CMR 17.00 was enacted on March 1, 2010. The regulation was developed to safeguard personal
More informationASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010
ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010 OBJECTIVE This Security Plan (the Plan ) is intended to create effective administrative, technical and physical safeguards for the protection
More informationPrivacy and Data Breach Protection Modular application form
Instructions The Hiscox Technology, Privacy and Cyber Portfolio Policy may be purchased on an a-la-carte basis. Some organizations may require coverage for their technology errors and omissions, while
More informationMFA Perspective. 201 CMR 17.00: The Massachusetts Privacy Law. Compliance is Mandatory... Be Thorough but Be Practical
MFA Perspective 201 CMR 17.00: The Massachusetts Privacy Law Compliance is Mandatory... Be Thorough but Be Practical DEADLINE FOR FULL COMPLIANCE HAS BEEN EXTENDED FROM JANUARY 1, 2010 TO MARCH 1, 2010
More informationInformation Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services
Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...
More informationGEARS Cyber-Security Services
Florida Department of Management Services Division of State Purchasing Table of Contents Introduction... 1 About GEARS... 2 1. Pre-Incident Services... 3 1.1 Incident Response Agreements... 3 1.2 Assessments
More informationUnified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
More informationCYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015
CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015 TODAY S PRESENTER Viviana Campanaro, CISSP Director, Security and
More informationTHE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS
THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS David Glockner, Managing Director strozfriedberg.com Overview The big picture: what does cybercrime look like today and how is it evolving? What
More informationINFORMATION SECURITY PROGRAM
Approved 1/30/15 by Dr. MaryLou Apple, President MSCC Policy No. 1:08:00:02 MSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM January, 2015 Version 1 Table of Contents A. Introduction Page 1 B. Security
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationTesting Your Cybersecurity Infrastructure and Enforcement Related Developments
Wednesday, April 29, 2015 Testing Your Cybersecurity Infrastructure and Enforcement Related Developments Mark C. Amorosi, Investment Management Partner, K&L Gates LLP Laura L. Grossman, Assistant General
More informationSubstantive Requirements for a Registered Investment Adviser under the U.S. Investment Advisers Act of 1940
Substantive Requirements for a Registered Investment Adviser under the U.S. Investment Advisers Act of 1940 Alternative investment fund managers and other investment advisory firms that are registered
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationOVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
More informationUniversity of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template
University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative
More information