Responses: Only a 0% Only b 100% Both a and b 0% Neither a nor b 0%



Similar documents
Leveraging Regulatory Compliance to Improve Cyber Security

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Re: Experience with the Framework for Improving Critical Infrastructure Cybersecurity ( Framework )

OCIE CYBERSECURITY INITIATIVE

FINRA Publishes its 2015 Report on Cybersecurity Practices

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Logging In: Auditing Cybersecurity in an Unsecure World

Enabling Compliance Requirements using ISMS Framework (ISO27001)

Program Overview and 2015 Outlook

Frequently Asked Questions about the HITRUST Risk Management Framework

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

Cyber Risks in the Boardroom

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

VENDOR MANAGEMENT. General Overview

Trends in Information Technology (IT) Auditing

CYBERSECURITY EXAMINATION SWEEP SUMMARY

The NIST Cybersecurity Framework

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Cybersecurity: What CFO s Need to Know

Next. CDS 2015 Survey Module 7 Information Security Survey Errata

Third Party Risk Management 12 April 2012

Next. CDS 2015 Survey Module 7 Information Security Survey Errata

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Microsoft s Compliance Framework for Online Services

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

Italy. EY s Global Information Security Survey 2013

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

Assessing the Effectiveness of a Cybersecurity Program

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Big Data, Big Risk, Big Rewards. Hussein Syed

Business Continuity for Cyber Threat

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Cybersecurity and the AICPA Cybersecurity Attestation Project

Cybersecurity The role of Internal Audit

Risk Management in Practice A Guide for the Electric Sector

Attachment A. Identification of Risks/Cybersecurity Governance

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

CISM ITEM DEVELOPMENT GUIDE

Defending Against Data Beaches: Internal Controls for Cybersecurity

HIPAA and HITRUST - FAQ

Framework for Improving Critical Infrastructure Cybersecurity

Looking at the SANS 20 Critical Security Controls

Practical Vendor Management to Minimize Compliance Risks November 12, 2015

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Developing National Frameworks & Engaging the Private Sector

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Cyber Security Risks for Banking Institutions.

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com

Dealer Member Cyber-security

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Cyber-Security. FAS Annual Conference September 12, 2014

Information Security Management System for Microsoft s Cloud Infrastructure

BladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture

PROPOSED INTERPRETIVE NOTICE

VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data

Perspectives on Navigating the Challenges of Cybersecurity in Healthcare

Impact of New Internal Control Frameworks

THE BLUENOSE SECURITY FRAMEWORK

NIST Cybersecurity Framework. ARC World Industry Forum 2014

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Cloud Computing An Auditor s Perspective

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Information Governance Roadmap

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

F G F O A A N N U A L C O N F E R E N C E

Cybersecurity and Privacy Hot Topics 2015

Transcription:

The Cyber Security Council has requested basic "state of the state" cyber security information from each member firm of the Association. While the information that was requested in the survey questionnaire below relates solely to each respondent s overall approach to information security, it is important because the Association needs to formulate a cyber security profile of the asset management industry in order to help educate regulators. In turn, regulators and possibly the Congress might then be in a better position to help facilitate industry cooperation and information sharing by industry participants - which is deemed by cyber security experts as the key to combating cyber attacks. The cyber security profile of the asset management industry that possibly emerges from this survey and perhaps related analytical work will be subject to review and approval by the participating member firms. Once the Association completes this vetting process, the industry cyber security profile could then be shared with regulators by members and/or the Association. 1. What is the extent of awareness within your organization of the National Institute of Standards and Technology's Cybersecurity Framework (the "NIST Framework")? In any event, has the IST Framework gained sufficient traction within your organization to the point where it has meaningfully changed how your organization manages cyber risks? Very Aware 100% Somewhat Aware 0% Not Aware 0% Other remarks: The NIST framework has impacted how we identify and evaluate cyber risks and the impact they have on our business. 2. Were you familiar with the NIST Framework before the SEC's OCIE pronouncement in April, 2014? If so, how did your organization first learn about the NIST Frameworkwhat was your primary source of information? Yes, familiar 60% Not familiar 40% Other remarks: Aware of the NIST updated framework through Information Security periodicals and industry groups. From internal security professionals who are knowledgeable of best practices in the information security area. We participated in the CSF working groups to create the CSF 3. Is your organization working with any sector-specific groups (e.g. FS-ISAC, FSSCC) or other trade groups to ascertain information about the NIST Framework? Please list any groups.

FS-ISAC and FSSCC FS-ISAC, Wall Street Technology Association, etc. FS-ISAC ICI Information Security Committee Institutional Investors Cyber Security Council FSSCC, FS-ISAC, BITS, direct interaction with DOT and DHS 4. Is there general awareness by your colleagues that the NIST Framework: a) is intended as a cyber risk management tool for all levels of an organization in assessing risk and how cyber security factors into risk assessments; and b) builds on existing cyber security frameworks, standards, guidelines, and other management practices related to cyber security? Only a 0% Only b 100% Both a and b 0% Neither a nor b 0% 5. Has your organization adopted a standard or framework other than the NIST Framework for the purpose of guiding your information security program? If so, please indicate whether ISO-27001, COBIT, SANS, COSO or other. ISO2700x No, but these frameworks are the basis for our policies, standards, etc. ISO-27001 Our program considers industry practices and proposed standards such as those promoted by NIST, COBIT ISO-27001 ISO-27001 and COSO 6. Many organizations and most sectors operate globally or rely on the interconnectedness of the global digital infrastructure. If your organization is planning to enhance its cyber security framework, will the asset management business use it internationally or will it be a U.S. only application? US 40% International 40% US & International 20% 7. Has your primary regulatory agency adopted or announced its intention to adopt the NIST Framework? If so, how extensive have your efforts been to enhance your cyber security program in light of regulatory expectations?

very extensive /new program being implemented 0% recently redefined new program 20% in process of defining enhancements 80% 8. Is your organization doing any form of outreach or education to clients, vendors or others regarding cyber security risk management? Yes 100% No 0% 9. Please comment on whether clients want to know the most relevant types of cyber attacks likely to apply to your organization. Yes 100% No 0% several hundred clients ask us detialed questions about this topic every year 10. If your firm is on board with the framework, please indicate whether you have undertaken any of the following activities: awareness building with clients; assessment of your existing policies vis-a-vis the NIST Framework; development of a current state ""baseline"" against the likely sub-categories of the Framework; or defined a ""future state"" against the NIST Framework. Yes, on board 60% Not on board 20% Definite program 20% Current state assessed and future state be defined by management The framework was used to review and enhance our policies and processes. 11. Regarding cyber security activities with vendors that are critical to your business, does your approach involve you categorizing these vendors? Examples of such categories could include securities valuation providers, custodians, collateral management agents, SSI data repositories, CCPs, FCMs, clearing agents (including industry utilities & trade information warehouses), etc. Please indicate any other categories that you feel are relevant to the asset management industry.

Yes 80% No 20% BITS Shared Assessment We take a risk based approach to inventory and perform due diligence on our vendors and third parties. 12. Also, is it standard procedure to meet with such vendors as part of your cyber security due diligence? Yes 100% No 0% 13. What about actual visits to critical vendors or alternate vendors to gain an understanding of data entry and exit points -- do you conduct such visits consistent with a checklist?briefly state the nature of these visits. Yes 80% No 20% This is for a very small subset of vendors Site visits are conducted periodically based upon risk. A formal checklist is followed on these site visits, where the results and action items are documented as part of our vendor governance processes. To gain a better understanding of our critical vendors' infrastructure and there data management practices to so how they meet regulatory requirements, industry standards and best practices. 14. Would you suggest testing with critical vendors as a due diligence best practice? Yes 60% No 40% 15. Do you inquire of critical vendors whether they also test with their own vendors? Yes 60% No 40%

16. Do you participate in any shared assessments programs (such as those provided by a credible consultant) when undertaking vendor due diligence reviews? Yes 40% No 60% 17. Do you utilize independent attestations as part of your review processes? If so, which do you utilize: ISO-27001 certification 100% SOC (Service Organization Controls) 2 and/or 3 reports 80% SSAE-16 / SOC 1 reports 100% PCI-DSS 40% Cloud Security Alliance 20% Other (please list below): BITS shared assessments These independent attestations are used in conjunction with our own internally developed questionnaire. 18. Do you re-assess vendors after specific periods of time (annually, bi-annually, etc.)? Please indicate interval, if any: annual Yes, periodically based upon risk Annually yes annual as required by contract 19. What technology tools, if any, do you use as part of your vendor assessment program to keep assessment results, open issue tracking, scheduling and other items? Please specify tools and whether you use a PMO to ensure tracking of all vendors: home grown today, but looking at solutions like Hiperos There is a vendor governance system for the inventory and tracking of vendors. None currently besides excel spreadsheets. N/A internally created risk management software

20. Regarding cyber security insurance and the asset management segment of your organization, is your firm looking into obtaining coverage for cyber investigations related to security breach incidents concerning vendor related issues? Yes 60% No 40% 21. Do you feel it is beneficial to raise awareness with senior management or your audit committee concerning the intricacies and nuances of industry-wide cyber security best practices? If yes, briefly state one or two positive takeaways. Please so state they want to know how we benchmark to peers "Yes, it is beneficial. Positive takeaways include: o Senior management is setting a security conscious cultural for the organization and o Are aware of the roles and responsibilities if there is a security incident" "Yes. o Inform senior management of cyber risks that are specific to our Firm and the business impact of these risks. o Obtain authorization and support to implement security best practices." Yes use of the NIST framework, risk based asset protection, 22. Any general observations about cyber security developments currently affecting the asset management industry? An example of a current cyber security development would be the use of external evaluations of policies and procedures that are currently in place. record keeping and data destruction don't have adequate handling in the "best practices" Besides cybersecurity threats as a whole to the industry, the regulatory focus and expectations around cybersecurity will continue to affect asset managers, especially as the regulators begin to test and assess these controls. An increase in the amount of time, effort, and money spent on responding to due diligence and RPF responses pertaining to cyber security. This increase in the type of cyber security-related questions by current and potential customers has changed how our organization investigates and responds to potential security issues even if our Firm is not vulnerable to the risk. Yes

the increased focus by regulators in this space is broadening the awareness in the firm and enabling ready adoption of new risk management efforts as we align with the framework. The burden of the increased requests for information in this space is creating a need for standardized question/responses which can be re-used for multiple requestors. 23. How do you manage insider risk? Combined team with HR, Physcial Security, and Info Sec. Looking at technical and human factors "This is a layer approach using the following controls: o Data Loss Prevention (DLP) Monitoring o Least privilege access model o Role based access o Recertification of user access o Filtered internet access o Restrictions on removable storage o Email surveillance" We limit access to confidential data based on access controls, we have separation of duties for sensitive functions, and some limited DLP capabilities (through our implementation of biometrics). This is an area that we are currently looking to expand. N/A education, monitoring, DLP controls, and analytics 25. Would you consider participating in Association-sponsored tabletop exercises (which would also include certain vendors that are critical to your business) in order to test incident response plans to certain cyber attack scenarios? Yes 80% No 20% NOTE: This survey was conducted in late May & early June, 2015.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information