In recent years and with the growth of ‘cyber-security’, business awareness of information assurance has grown leaps and bounds, which is great news for those diligent leaders thinking about keeping their staff informed and actioning documented processes. Here, at RFA, we have seen a growth in support, review and creation of policies to clients, and, in the last 18 months, a huge increase in digital records management (DRM), specifically information rights management (IRM). This key classification of data and focus of information security beyond the firewall is only going to escalate as mobile workforces rise in numbers and our awareness of data protection intensifies.
FORMAL SECURITY POLICIES A written information security policy (WISP) policy collection is a baseline expectation in the current compliance and regulatory climate. Designing and implementing a core set of actionable policies supporting your firm’s business operations, security and regulatory requirements is critical as investors become more savvy to the importance of information assurance and security. Of course, policies alone cannot fully comprise an information security framework, there must be additional business processes and information technology components in place to enforce and monitor the policies defined within the security framework. The below topics outline additional practical areas to augment firm information policy frameworks.
DATA CLASSIFICATION AND RETENTION Firms should develop and implement a clearly defined framework, and underlying IT infrastructure and supporting solutions, to classify all data stored within and processed by corporate systems. Additionally, as defined by existing regulations and within the newly approved sector agnostic GDPR guidelines, firms are required to retain specific data subtypes for applicable periods of time in an unalterable format. The firm’s data classification framework should also define and support procedures for user access restrictions based on job responsibility. Along with GDPR guidelines, the European Securities and Markets Authority (Esma) recently published 28 technical standards mandated for firms subject to the Markets in Financial Instruments Directive II (Mifid II) and the Markets in Financial Instruments Regulations (Mifir). As part of the technical standards and guidelines, firms must retain data classification, access control functionality and reporting, even beyond the boundaries of the corporate infrastructures to protect investor information. Understanding the practical implications of not having a grasp of your retention and IRM is important as regulations change and new non-sector specific regulations come into effect for example GDPR. Mifid II will also put more pressure on the classification elements of data not to mention security and traceability beyond the firewall.
SECURITY COMPLIANCE AUDITS Firms should periodically engage third-party independent auditors to perform security and compliance audits to validate the implemented security protocols and identify any gaps or areas for policy framework expansion. Security audits should include a comprehensive review of the policy framework as well as the supporting business processes and IT solutions. The testing frequency and scoping parameters should be defined in the firm’s policy framework and include penetration testing and vulnerability scanning engagements as well. The security evaluation engagements and subsequent review and remediation of findings should be included as part of a firms risk mitigation process. When developing risk mitigation processes, firms should review and include a clear understanding of supply chain knowledge as prescribed in FG16/5 from the FCA.
SECURITY INCIDENT MANAGEMENT Firms should develop and implement incident response plans (IRP) to know, detect, prevent, respond and recover from cyber-security threats and incidents. It is critical that firms maintain documentation with clear and simple response processes and that applicable alerting and escalation mechanisms (both process and IT solutions) are put in place to support the response framework. IRP procedures should be transparent, and clearly communicated to, all staff members and employees utilising corporate systems. As per the upcoming GDPR and other regulations, firms must have a framework in place to facilitate the reporting of any data breaches within 72 hours. Additionally, all firms should review and ensure, no less than annually, that all critical supporting vendors and third parties with access the firm data also maintain adequate IRP documentation and processes.
DISASTER RECOVERY PLANNING Implementing a disaster recovery policy (DRP) is a central component to any comprehensive information security policy framework. DRP documentation should include the following: – Detailed overview of the disaster recovery (DR) systems and infrastructure in place – Critical systems needed to perform business operations – Clearly defined processes for invoking failover to the DR environment noting any third parties that must be involved in the failover procedures – Clearly defined instructions for staff members to access DR systems – Defined review and testing framework to validate the DR systems and processes in place Planning and processes should be designed to provide firms with a process to resume critical business operations within acceptable recovery time objective (RTO) intervals and within recovery point objective (RPO) parameters.
DISASTER RECOVERY PLAN TESTING Firms should conduct annual (or better) testing of the DRP with predefined objectives and success metrics to validate the accessibility and functionality of systems and services within the disaster recovery environment. Firms should provide appropriate staff training and instructions for continuing business operations from the disaster recovery environment. All testing and training exercises, including systems tested, testing parameters, participating users and testing results, should be documented within the firm’s information security framework and reviewed by firm management to identify if adequate systems are maintained or if there are any gaps in need of remediation or improvement.
“FIRMS SHOULD DEVELOP AND IMPLEMENT A CLEARLY DEFINED FRAMEWORK, UNDERLYING IT INFRASTRUCTURE AND SUPPORTING SOLUTIONS, TO CLASSIFY ALL DATA STORED WITHIN AND PROCESSED BY CORPORATE SYSTEMS”
BUSINESS CONTINUITY PLANNING Another core component to a comprehensive information security framework is the implementation and ongoing testing of a business continuity plan (BCP).
BCP documentation should include:
- Emergency evacuation procedures for each office location including designated meeting locations and any remote “hot site” space maintained by the firm.
- Crisis communication procedures for efficiently disseminating information and instructions to staff members, critical third parties and business partners.
- An overview of, and instructions for accessing, any disaster recovery or backup systems for critical technology systems to resume business operations.
- Current contact information for staff members, critical third parties, office building management, emergency personnel and government/ regulatory entities.
- A framework for ongoing analysis and testing of the BCP procedures and supporting processes to validate effectiveness of the plan and identify any gaps for expansion or revision. This should be a holistic process (run at management level) clearly identifying potential threats to the business, the impact these have (if realised) on the business and the mitigating and (or) responses to these threats.
George Ralph is managing director of RFA. He is a technology and business leader with a proven track record of strategic alignment, process improvement and guidance. Having been both a COO and a CTO of his own technology firms over a 19-year period, he looks to provide transparent guidance to every business he serves and the people he leads. George has extensive delivery and technical experience in network and server architecture, large-scale migrations utilising leading technology brands, and IaaS offerings.