FYI: OCIE issued a Risk Alert today addressing security weaknesses found in recent IA and BD examinations relating to the storage of customer and firm information on internal and external networks (including hosted cloud storage).
The Risk Alert pointed out that the majority of network storage solutions offer encryption, password protection and other security features designed to prevent unauthorized access, but firms did not always use the available security features. Three particular areas of concern were listed:
• Misconfigured network storage solutions.
• Inadequate oversight of vendor-provided network storage solutions.
• Insufficient data classification policies and procedures.
On the positive side, the Risk Alert listed examples of effective “configuration management” practices OCIE has observed at some firms, including:
• Firms that have policies and procedures designed to support the initial installation, on-going maintenance and regular review of the network storage solution.
• Firms with guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly.
• Firms that maintain vendor management policies and procedures that include, among other things, regular implementation of software patches and hardware updates followed by reviews to ensure that those patches and updates did not unintentionally change, weaken or otherwise modify the security configuration.
The Risk Alert encourages firms to review their practices to consider whether any improvements are necessary.
The Risk Alert is only 2 pages long and can be accessed here in its entirety: https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Network%20Storage.pdf.
* * *