Compliance Solutions for Investment Advisers

Alert – Information Security

The purpose of this compliance training material is to familiarize you with key issues regarding information security.

Overview

One of the most pressing compliance issues for investment advisers is how to satisfy SEC requirements in the area of information security. The following checklist will allow you to take measure of your advisory firm’s existing information and data security program.

While each and every of the following questions may not apply to the conduct of your advisory business, for those questions that do apply, you should be able to answer “yes”.

Information Security Checklist

1. Policy.  Has your advisory firm developed and implemented comprehensive information security policies and procedures?

__  Yes    __  No

2. Acknowledgment.  Are all employees and independent contractors required to provide written acknowledgment of their understanding and acceptance of your advisory firm’s information security policies? __  Yes    __  No

3. Confidentiality Agreements. Are confidentiality agreements signed before proprietary and/or sensitive information is disclosed, in any form, to individuals outside the organization?

__  Yes    __  No

4. Physical Security. Are buildings, paper records, computer and network equipment and storage media within them properly secured from unauthorized access, tampering, damage, and/or theft by an intruder with malicious intent?

__  Yes    __  No

5. Anti-Virus. Are all computer systems protected with up-to-date anti-virus software and other defenses against malicious software attacks?

__  Yes    __  No

6. Internet Security. Are all dedicated connections to the Internet and other external networks properly documented, authorized, and protected by firewalls, intrusion detection systems, virtual private networks (or other forms of encrypted communication,) and incident response capability?

__  Yes    __  No

7. Software Patches.  Are security-sensitive software patches promptly applied to systems that are accessible to users outside of your advisory firm?

__  Yes    __  No

8. Data Protection. Is sensitive, valuable information properly protected from unauthorized access?

__  Yes    __  No

9. Business Resumption Plan. Does your advisory firm have a documented and tested business resumption plan for critical computer system and associated office support infrastructure that includes frequent system backups, off-site data backup storage, emergency notification, replacement IT and office resources, alternate facilities, and detailed recovery procedures?

__  Yes    __  No

10. Portable Data.   Does your advisory firm encrypt sensitive information stored on portable devices including laptop computers and smart phones?

__  Yes    __  No

11. Telecommuting. Does your advisory firm ensure the safety of sensitive client information in remote or home offices?

__  Yes    __  No

12. Data Security Breaches. Does your advisory firm have the ability to detect the unauthorized use of, or access to, sensitive client information?

__  Yes    __  No

13. Training. Does your advisory firm have a program in place for training employees on the proper use of your firm’s computer security system, and the importance of information security?

__  Yes    __  No

14. Due Diligence. Does your advisory firm conduct due diligence on the information security programs of third-party service providers?

__  Yes    __  No

line