The SEC’s Office of Compliance Inspections and Examinations (OCIE) published a new report on the findings from examining the methods used by market participant organisations.
It’s nice to both understand what your peer organisations are doing, as well as get a nod from a governing body that the measures being taken by your own organisation are up to par and meet compliance guidelines. The SEC’s OCIE recently released a set of observations gathered through examinations of SEC-registered investment advisers, investment companies, broker-dealers, self-regulatory organisations, clearing agencies, transfer agents, and other relevant organisations.
In it, they cover a wide range of areas related to cybersecurity, including Governance and Risk Management, Access Rights and Control, Data Loss Prevention, Mobile Security, Incident Response and Resiliency, Vendor Management, and Training and Awareness.
For each aspect, OCIE spells out the best practices they observed across a wide range of organisations subject to the SEC.
Some of the more notable (and less travelled) practices, include:
- Vulnerability Scanning – proactively and routinely scanning systems, applications, and code for vulnerabilities that need to be patched.
- Testing and Monitoring of Policies and Procedures – seeks to understand the effectiveness of cybersecurity policies and procedures in the changing face of threats.
- Insider Threat Monitoring – with most organisations focused on external threats, the SEC sees the value in also looking inward.
- Building a Security Culture – leveraging Security Awareness Training, organisations need to continually educate users how to identify and respond to attacks and breaches.
With the overlying theme being one of using a layered security strategy, OCIE’s report promotes an implementation that protects an organisation’s perimeter, systems, applications, privileged access, data ingress/egress, devices, and users.
Request Your Security Awareness Training Demo
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn’t a one and done deal, continuous training and simulated phishing are both needed to mobilise users as your last line of defence.
Request your one-on-one demo of KnowBe4’s security awareness training and simulated phishing platform and see how easy it can be!
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/one-on-one-demo-partners?partnerid=001a000001lWEoJAAW