STRENGTHENING YOUR CYBER PROGRAM
Strategies to Assess, Protect and Monitor
Cybersecurity is on the minds of firms of all sizes. Incidents of cyberattacks and ransomware are on the rise among financial services firms, having increased 400% from 2015 to 2016, and are expected to double again in 2017 (Sources: IBM Security, CNBC, Beazley). Regulators including the SEC, FINRA and CFTC, as well as those at the state level have expanded their focus on cybersecurity. From protecting the personal information of retail-based clients to properly responding to the wide range of cybersecurity questions now included in the scope of institutional investor due diligence, is your firm prepared?
Managing cybersecurity risks is now considered part of a robust compliance program, yet many compliance professionals worry they do not understand the technical aspects enough to feel comfortable with their current program, or where to start developing one.
Federal regulations such as S-P, S-ID and Rule 206(4)-7 are quickly being accompanied by state regulations that also mandate sufficient Information Security policies and procedures are in place. States such as Massachusetts, California and most recently New York have enacted their own regulations dictating how firms need to secure their own information as well as that of their clients.
Ascendant can take that worry off your plate. We have designed a comprehensive cybersecurity package to help you manage these risks, while allowing you to focus on your core business.
We have designed a comprehensive cybersecurity package to help you manage these risks, while allowing you to focus on your core business.
- Understand your cybersecurity risks from both a regulatory and business/operational perspective
- Develop a robust Incident Response policy and test plan
- Test your staff with phishing and social engineering testing
- Implement the NIST Cybersecurity Framework as part of your cybersecurity strategy to have an understandable roadmap for discussion with senior management, compliance, and IT
- Assess the cybersecurity programs of other firms you are considering acquiring
- Penetration Testing
- Bring your cybersecurity policies and procedures up to industry best practices with a custom Information Security Policy manual created just for you
- Assess the adequacy of your patch management practices
- Train your staff on emerging threats with on-demand cybersecurity training and in-person cybersecurity training
- Prepare for a regulatory examination by assessing your ability to meet examiners’ expectations of controls, policies, and testing with our Cybersecurity Gap Analysis, designed to address the SEC’s OCIE Cybersecurity Examination Initiative
- Evaluate and document vendor due diligence
Ascendant offers a cybersecurity training program customizable to meet your needs and busy schedule. Whether you prefer on-demand training modules with reporting capabilities or the ability for your staff to ask questions during live, in-person training at your offices, we can help prepare your employees to recognize cybersecurity threats and trends to better protect your firm and its reputation. Ascendant’s cybersecurity training covers hot-button issues including ransomware and social engineering techniques, keeping systems patched, mobile device security, and a host of other topics. We can also customize a training program just for you.
We offer training on our ACM platform, delivering training videos and attestations to your employees remotely.
For a more hands-on approach, Ascendant can send one of its Cybersecurity Specialists to train your employees on site.
Ascendant can create custom training solutions tailored to fit your firm’s needs. Whether you are looking to enhance training for one office or hundreds of branches, Ascendant has you covered.
For those wishing to join the ranks of firms who are truly serious about cybersecurity, Ascendant can help implement the nationally recognized NIST Cybersecurity Framework upon which the SEC’s cybersecurity exams are based. Used throughout the government and now the de facto cyber framework for the private sector, the NIST cybersecurity framework will bring your firm’s cyber program to the next level and provide you with the peace of mind that comes from having a program aligned with both industry best practices and regulatory expectations.
Firms that have existing Information Security policies and procedures in place may wish to have them examined for best practices. Ascendant can review a firm’s documentation to obtain assurances that best practices are being used and to identify outstanding compliance deviations. This review can be done remotely. The deliverable: a detailed report identifying procedural gaps and providing recommendations for remediation.
1. Firm provides information security-related documentation to our secure ACM cloud portal.
2. Our ISACA-certified Information Security Consultants examine firm documentation using proprietary methodology and risk scoring.
3. A Gap Analysis report is provided documenting deficiencies with recommendations to assist in bridging gaps and bringing a firm’s Information Security Policy up to industry standard.
Ascendant can help small firms get their IT up and running by aiding in the vendor selection and due diligence process. Firms needing vendors to help accomplish goals related to IT and cyber often lack proper documentation evidencing this fact, and in some cases, do not even know where to start. Ascendant will craft proper policies and procedures that can address the vendor in a firm’s Information Security Plan. For mid- to large-size firms with established programs but lacking in vendor due diligence, Ascendant can provide a streamlined interface and platform to track vendor due diligence responses and questionnaires, assisting in the risk management effort through on-demand reporting capabilities.
Ascendant can obtain assurances that vendors are providing secure services and not endangering firm data, providing policies to evidence this and procedures to help firms stay on top of due diligence.
With our ACM cloud technology, performing vendor due diligence is easy, secure and streamlined.
For those firms who need a comprehensive risk assessment, our certified cybersecurity specialists can aid in bringing firm policies and practice up to scratch, identifying physical and network security risks through a combination of on-site inspection, staff interviews, and access control testing, bridging the gap between compliance, IT, and senior management in understanding cyber risks, and helping you develop an action plan to reduce your risk profile. Upon request, Ascendant can accompany your team on-site to your data center or other third-party vendors to assist in due diligence. The on-site assessment provides your firm the opportunity to ask questions to our cyber experts and gain insight into how your firm benchmarks against your peers with respect to your cybersecurity program.
Many regulatory agencies such as the SEC, NY DFS and FINRA are requiring or expecting firms to perform regular vulnerability scans of their network. These scans give firms a picture of their network from an outsider’s perspective, with the idea of locking up their perimeters by limiting what information outsiders can observe. These scans can be verbose and confusing to those untrained in exploit identification; however, Ascendant can provide firms with reports containing executive summaries listing the issues in layman’s terms. In addition, we will walk through the identified vulnerabilities and remediation processes in plain English to ensure you walk away with an understanding of both the risks and the accompanying recommendations.
1. Using cloud-based scanners, the firm’s external network is examined for vulnerabilities.
2. A report is created identifying network vulnerabilities along with an executive summary of results.
3. In a call with you, Ascendant will discuss vulnerabilities identified and recommendations for remediation.
Firms feeling confident in the security of their network should test that security with a penetration test. A penetration test attempts to exploit security holes in a firm’s network through methods employed by hackers. These tests can be controlled, only testing certain aspects of a firm’s security or giving a firm a wider scope in the capabilities of their security.
Detailed documentation will be provided at the end of the engagement containing exploitation methods used, vulnerabilities found and recommendations. Not only will a penetration test help improve network security but it will also demonstrate a firm’s commitment to security.
A trained white hat specialist will try to exploit vulnerabilities in a network to gain access, much in the same way a real hacker would.
A detailed report will be provided, listing how a network was breached and what a firm can do about it.
After an engagement, a walkthrough of the report can be done to help the firm further understand how to strengthen network security.
The latest and greatest in security technology time and time again has shown to be ineffective against vulnerabilities stemming from human error. An employee may plug in an unknown USB stick, open an attachment in a phishing email or unknowingly disclose sensitive information. The realm of social engineering is giving hackers powerful non-technical methods of exploiting a firm’s security. It a firm’s job to ensure that its employees and affiliates are properly trained to help detect, prevent and respond to social engineering.
This service comprises of a phishing campaign targeting your employees. The testing involves several leading methods used over a predetermined amount of time, typically no less than a month. Over the course of the phishing campaign, data will be gathered to provide insight into employee behavior. The conclusions drawn will then be used to reinforce training and strengthen what is typically the weakest cyber link at every firm: people.
Spear phishing techniques to spoof emails can test employees’ security competency.
Detailed reports containing actions taken against emails, links clicked and attachments downloaded give management insight into employee behavior.
Additional phishing campaigns can be performed utilizing phone calls, USB devices or email-simulated exploitation.
The following is a sample of cybersecurity policies Ascendant can develop for you:
Ascendant’s IT team holds numerous industry-leading cybersecurity certifications, including several that are among the limited certifications approved by the U.S. Department of Defense (DoD) for the performance of information assurance. Each of these certifications requires at least 40 hours per year of continuing cybersecurity education to maintain current skills in a rapidly changing threat environment.
AMONG THE CERTIFICATES HELD ARE:
Certified Information Systems Auditor is a globally recognized certification in the field of audit, control and security of information systems.
Certified Information Security Manager focuses on information risk management as the basis of information security.
Certified in Risk and Information Systems Control manage risk, design and oversee response measures, monitor systems for risk, and ensure the organization’s risk management strategies are met.
Further, our cybersecurity certifications supplement the industry knowledge our IT consultants have obtained through hands-on experience as systems integrators, software architects and developers, and IT project managers. Ascendant’s certified cybersecurity experts are frequently requested to speak at national conferences, and network with the FBI, CIA, technology vendors, law firms, and federal and state regulators to stay ahead of industry best practices and examination focus areas.
Ascendan’t IT team holds numerous industry-leading cybersecurity certifications
Whatever your needs, Ascendant will work with you to make compliance a source of strength.
Please call 1-860-435-2255 for more information.Contact Us