As reported by Security Magazine, the U.S. Securities and Exchange Commission in late January published a set of guidelines pertaining to operational resilience and security preparedness. Directed at securities firms, the SEC’s guidance covers governance and risk management, vendor management, training and awareness, incident response, resiliency, mobile security, and data loss prevention. It is, in other words, a complete cybersecurity framework.
And that means it’s applicable to organizations across a wide set of industries, including your own. We’d strongly recommend browsing through the full document here. In the meantime, we’ve compiled a few of the major takeaways below.
- Effective cybersecurity starts at the top. Proper governance and risk management requires that an organization’s senior leadership be fully-invested in protecting both corporate and customer data. Executives must work together to set a business’s overall security strategy and oversee all relevant corporate programs and must communicate consistently with employees at all levels of the organization.
- A thorough risk assessment is essential. This risk assessment should take your organization’s business model into account, while also identifying potential vulnerabilities and threats.
- Good security constantly evolves. The cybersecurity landscape is in constant flux, with new threats and defense tactics regularly surfacing. Your organization must keep pace with this evolution.
- Access must be strictly monitored and managed. Understand what each user group in your organization needs in order to do their job, and provide them with that and nothing more. Incorporate procedures that allow you to control, monitor, and rescind access as-needed.
- Preventing the loss of data requires a multifaceted approach. It’s no longer enough to defend your perimeter. You must continually monitor your entire network, in addition to your supply chain.
- Mobile security is imperative. Mobile devices such as smartphones are now ubiquitous. If you do not have policies in place to manage their use and prevent the compromise of corporate data, you are not secure.
- You need an incident response plan. As part of your risk assessment, you must assign responsibilities to key staff, establish the proper lines of communication, and plan out your specific response processes for all the incidents your business is likely to face.
- Know your organization. What devices are present in your network? What data do you manage? What are your core assets, and how best can you protect them?
- Training is essential. Your employees are the weakest link in your security posture. Train them thoroughly in their responsibilities, and ensure there are measures in place to test the success of this training.
Modern cybersecurity is both challenging and complicated. The SEC’s guidelines provide a good framework to help you get started, but the rest is up to you.