The US Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) published a report on January 27 outlining various industry practices and approaches to managing and combating cybersecurity risks and maintaining operation resiliency. The OCIE observed these practices through conducting thousands of examinations, and hopes that organizations can use the report to enhance their own cybersecurity preparedness and operational resiliency.

Topics covered in the report include the following:

  • Governance and Risk Management. An effective risk management program generally includes the development and execution of a risk assessment process to identify, manage, and mitigate cyberrisks. Potential vulnerabilities affecting organizations include remote or traveling employees, insider threats, international operations, and geopolitical risks. Successful programs frequently contain comprehensive testing and monitoring procedures to validate the effectiveness of cybersecurity policies. In addition, organizations with effective programs respond promptly to testing and monitoring results by updating policies and procedures and involving board and senior leadership as needed.
  • Access Rights and Controls. Effective access control involves developing a clear understanding of the access needs of the organization’s users to systems and data within the organization, including limiting access to sensitive systems and data based on a user’s need to perform authorized activities on the organization’s information systems and requiring periodic reviews of accounts. Once there is a clear understanding of access needs, organizations develop user access management procedures that, among other things, limit user access as appropriate, including during onboarding, transfers, and terminations; require strong and periodically changed passwords; and utilize multifactor authentication, leveraging an application or key fob to generate an additional verification code.
  • Data Loss Prevention. Organizations establish vulnerability scanning programs that include routine scans of software code, web applications, servers and databases, workstations, and endpoints within the organization and applicable third parties. In addition, organizations implement the capabilities to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic. Such capabilities include firewalls and intrusion detection systems. Other data loss prevention controls include removing access to personal email, cloud-based sharing services, social media sites, and removable media such as USB drives.

Other topics addressed in the report are mobile security, incident response and resiliency, vendor management, and training and awareness.