The Securities and Exchange Commission, the US agency in charge of regulating securities laws, stock market exchanges and investments, issued a report on Cybersecurity and Resiliency Observations.
The report provides observations to assist market participants on how to enhance cybersecurity preparedness and operational resiliency.
The report is divided into 7 segments. Below is a breakdown of each portion.
1. Governance & Risk Management
Effective programs include (i) identifying cybersecurity risks to the organization (ii) having policies/procedures in place to address risks (iii) implementing and enforcing policies and procedures.
2. Access Rights and Controls
This section is meant to protect sensitive data so that the authorized organization members have access to it. Access controls generally include: (i) understanding data location throughout an organization (ii) restricting access to data only for authorized users (iii) establishing controls to prevent/monitor unauthorized access.
3. Data Loss Prevention
Outlines a set of tools and processes an organization can use to ensure sensitive data is not lost, misused or accessed by unauthorized users. This includes having the necessary software to scan and protect network traffic, having the latest updated version of patches and using encrypted data.
4. Mobile Security
Mobile devices and application create additional vulnerabilities. Organizations should ensure that they have proper mobile device management to protect mobile devices and multi-factor authentication to limit employee access to information.
5. Incidence Response and Resiliency
Incident response includes: (i) timely detection and disclosure of material information regarding incidents and (ii) corrective actions taken in response to incidents. In simple terms: how quickly can an organization recover and continue regular operations.
6. Vendor Management
Ensuring that any collaborators are following similar cybersecurity procedures as the organization so there are no vulnerabilities from third party vendors.
7. Training & Awareness
Training, which includes examples and exercises, provides employees with information concerning cyber risks and responsibilities and heightens awareness of cyber threats.