Need high-end security?
ITP will make sure your business is secure
The SEC has made Cybersecurity a key element in every exam. ITP is acutely aware of the need to maintain compliance and meet threats posed by the hackers we all hear about every day. At ITP, security drives nearly every decision, but proving you are compliant is the end.
Security Policy Review & GAP Analysis
We outline key considerations arising from the cybersecurity Risk Alert issued by the SEC's Office of Compliance Inspections and Examinations (OCIE) and describe how firms can prepare for an OCIE cybersecurity examination and review firm's actual practices to that of their security policy.
We believe one aspect of cyber risk management that may be particularly challenging is determining that measures designed to mitigate cybersecurity risks are consistent with a firm's overall security policy (i.e. that continuity exists between policy to actual).
Cybersecurity professionals may not speak the language of SEC or FINRA compliance and vice versa. Potential consequences of such a communication gap include not defining access control privileges in the firm. ITP provides a translation from policy to actual technology used for cyber mitigation.
ITP's Active Defense follow six principles
- Maintain a footprint that spans to the internet, gathering real-world threat information.
- Gather and correlate data from and across all threat vectors, including file, web, message and network.
- Data collection and threat intelligence distribution are cloud-based and performed in real time 24/7/365.
- Deliver reputation-based threat intelligence.
- Integrate threat intelligence into a complete suite of security products.
- Support the entire process with our network operation team dedicated to threat intelligence.
Monthly Reporting and Quarterly Due Diligence Testing
A firm should be able to demonstrate to OCIE examiners the existence of active, holistic monitoring activity and employees across the business functions have an understanding of normal and unauthorized activities.
A firm should be able to show how it responds to activity that does not appear normal or expected.
ITP believes documented monthly reporting demonstrates to examiners effective controls are in place to provide safe and secure online access to client data using the firm's infrastructure.
Due Diligence testing is critical to firms not only meeting SEC expectations, but also invest in a program to become secure, vigilant, and resilient in the face of fast emerging cyber security risks.