Managing SEC OCIE Cybersecurity Exam Checklist Requirements

how to manage the requirements raised n.w
1 / 23
Embed
Share

Learn how to effectively manage the cybersecurity requirements outlined in the SEC's OCIE exam checklist to ensure compliance and data protection. Explore key safeguards, administrative measures, risk assessments, and more.

  • Cybersecurity
  • SEC
  • Requirements
  • Compliance
  • Safeguards
rayaanacharya
cherr Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. How to Manage the Requirements Raised by the SEC s OCIE Cybersecurity Exam Checklist

  2. Welcome Joseph Kirkpatrick, Managing Partner, KirkpatrickPrice, CGEIT, CISA, CRISC, QSA Information Security Auditing Services PCI Data Security Standard Penetration Testings Risk Assessments SSAE 16 and SOC 2 Auditing Services Compliance Assessments SEC National Exam Program Consumer Financial Protection Bureau (CFPB) ISO 27001, HIPAA, FISMA, etc.

  3. Welcome Ted Morgan, Chief Operating Officer, 2007-present, Abel Noser Solutions Bachelor of Science, Mechanical Engineering from Columbia University Previously in the Capital Markets practice at Accenture for 13 years Technical and management positions Relationship manager for some of Accenture s largest Capital Markets clients Responsible for selling and delivering onshore management consulting and offshore development services to many of the leading US commercial and investment banks

  4. Disclaimer The SEC s Cybersecurity checklist provides a sample list of requests for information that the U.S. Securities and Exchange Commission s Office of Compliance Inspections and Examinations (OCIE) may use in conducting examinations of registered entities regarding cybersecurity matters. OCIE has published this document as a resource for registered entities. This document should not be considered all inclusive of the information that OCIE may request. Accordingly, OCIE will alter its requests for information as it considers the specific circumstances presented by each firm s particular systems or information technology environment.

  5. Three Types of Safeguards Administrative Physical Technical

  6. Administrative Safeguards Hardware and Software Inventory Network Diagram

  7. Administrative Safeguards Risk Assessment Physical and technical risks Published framework NIST ISO Business Continuity Plan

  8. Question #3 SEC Cybersecurity Questionnaire Please indicate whether the Firm conducts periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences. If such assessments are conducted: Who (business group/title) conducts them, and in what month and year was the most recent assessment completed? Please describe any findings from the most recent risk assessment that were deemed to be potentially moderate or high risk and have not yet been fully remediated.

  9. Question #3 Example Answer Identify Assets (people, hardware, processes, locations, data) Identify Threats to Confidentiality, Integrity and Availability (Rank by Impact) Identify Likelihood of Occurrence Identify Controls to Reduce Risk Rank Findings According to Severity

  10. Administrative Safeguards Risk Assessment Physical and technical risks Published framework NIST ISO Business Continuity Plan

  11. Administrative Safeguards Information Security Policy Assigned responsibility for the InfoSec Program (CISO, etc.) Access rules based on business need Job Descriptions Configuration standards Data destruction Incident Response (plan and test) Red Flags Rule

  12. Administrative Safeguards Risks Associated with Remote Customer Access and Funds Transfer Requests Third party services Customer authentication policy Procedures for detecting anomalous transaction requests Training customers on cybersecurity risks Responsibility for losses

  13. Administrative Safeguards Insurance Vendor Compliance Management Questionnaires Contractual obligations Training Training Security awareness

  14. Administrative Safeguards Compliance Audits External penetration tests External vulnerability scans Network security assessments IT audits Separation of Duties

  15. Question #10 SEC Cybersecurity Questionnaire Please indicate which of the following practices and controls regarding the protection of its networks and information are utilized by the Firm, and provide any relevant policies and procedures for each item. The Firm maintains controls to secure removable and portable media against malware and data leakage. If so, please briefly describe these controls.

  16. Question #10 Example Answer The Firm has disabled USB ports on PCs and laptops to restrict the use of removable and portable media. Only authorized managers are given the capability to use encrypted thumb drives.

  17. Physical Safeguards Removable Media Physical Security Risks Access controls Visitor logs Secure areas Cameras Alarms

  18. Technical Safeguards Firewall Network and Application Logging Logical Access Controls Application Development Separate testing environment Patch Management Data Backup

  19. Question #21 SEC Cybersecurity Questionnaire For each of the following practices employed by the Firm to assist in detecting unauthorized activity on its networks and devices, please briefly explain how and by whom (title, department and job function) the practice is carried out. Monitoring the Firm s network environment to detect potential cybersecurity events.

  20. Question #21 Example Answer The firm has implemented an industry standard network monitoring utility that is configured to send alerts to the IT manager that meet certain thresholds defined by management. These alerts are monitored 24x7 to identify critical network events. The Operations Officer serves as backup to the IT manager for monitoring availability.

  21. Technical Safeguards Encryption technologies Data at rest Transmitting Risks Associated with Remote Customer Access and Funds Transfer Requests Encryption SSL PINs Automated methods to detect anomalous transactions

  22. Technical Safeguards Monitoring Vendor Access

  23. Thank you for attending Q & A For further information contact: Joseph Kirkpatrick joseph@kirkpatrickprice.com 800.977.3154 Ext. 101

Related


CYBERSECURITY AWARENESS MONTH 2023

CYBERSECURITY AWARENESS MONTH 2023

ben
Cybersecurity and Supply Chain Risk Management: Best Practices for Procurement

Cybersecurity and Supply Chain Risk Management: Best Practices for Procurement

yousef
REWIRE Cybersecurity Skills Alliance

REWIRE Cybersecurity Skills Alliance

eabha
Instrument human capital cybersecurity mkb bedrijven

Instrument human capital cybersecurity mkb bedrijven

myron
Cybersecurity Industry Call for Innovation (CyberCall)

Cybersecurity Industry Call for Innovation (CyberCall)

nomi
Safeguarding Tampa's Business Landscape_ The Crucial Role of Managed Cybersecurity Services

Safeguarding Tampa's Business Landscape_ The Crucial Role of Managed Cybersecurity Services

Elie
Empowering NNSA Cyber Professionals Through Enterprise Tools and Data Analytics

Empowering NNSA Cyber Professionals Through Enterprise Tools and Data Analytics

bloom
Adversarial Machine Learning in Cybersecurity: Challenges and Defenses

Adversarial Machine Learning in Cybersecurity: Challenges and Defenses

thirza
Challenges in Cybersecurity Implementation: A Philippine Perspective

Challenges in Cybersecurity Implementation: A Philippine Perspective

shona
C2M2 Version 2.1 Cybersecurity Model Overview

C2M2 Version 2.1 Cybersecurity Model Overview

giana
Cybersecurity Risk Management in K-12 Education: Challenges and Strategies

Cybersecurity Risk Management in K-12 Education: Challenges and Strategies

betsy
Which and How of Cybersecurity Frameworks

Which and How of Cybersecurity Frameworks

castor
Why Partnering with a CISO Recruiter is Essential for Cybersecurity Success

Why Partnering with a CISO Recruiter is Essential for Cybersecurity Success

Kelvin1
Industrial Cybersecurity Market Worth $49.53 Billion by 2030

Industrial Cybersecurity Market Worth $49.53 Billion by 2030

RAJUL
Cybersecurity Career Path Overview

Cybersecurity Career Path Overview

rusty
Comprehensive Airport Cybersecurity Quick Guide and Assessment Tool

Comprehensive Airport Cybersecurity Quick Guide and Assessment Tool

emmitt
Ensuring Business Security: Cybersecurity Webinar Insights

Ensuring Business Security: Cybersecurity Webinar Insights

amelia
Workshop on Cybersecurity Professionalism & Ethics

Workshop on Cybersecurity Professionalism & Ethics

acke_ddy
Cybersecurity Workforce Management: Engage, Empower, Elevate

Cybersecurity Workforce Management: Engage, Empower, Elevate

dena835
Cybersecurity and Computer Science Education Projects at UH Maui College

Cybersecurity and Computer Science Education Projects at UH Maui College

karm_14
Shovel-Ready Projects Initiative for Cybersecurity Innovation in Canada

Shovel-Ready Projects Initiative for Cybersecurity Innovation in Canada

aberm
Enhancing Cybersecurity for Improved Insurability and Risk Management

Enhancing Cybersecurity for Improved Insurability and Risk Management

trac_745

More Related Content