The purpose of this compliance training material is to familiarize you with key issues regarding information security.
Overview
One of the most pressing compliance issues for investment advisers is how to satisfy SEC requirements in the area of information security. The following checklist will allow you to take measure of your advisory firm’s existing information and data security program.
While each and every of the following questions may not apply to the conduct of your advisory business, for those questions that do apply, you should be able to answer “yes”.
Information Security Checklist
1. Policy. Has your advisory firm developed and implemented comprehensive information security policies and procedures?
__ Yes __ No
2. Acknowledgment. Are all employees and independent contractors required to provide written acknowledgment of their understanding and acceptance of your advisory firm’s information security policies? __ Yes __ No
3. Confidentiality Agreements. Are confidentiality agreements signed before proprietary and/or sensitive information is disclosed, in any form, to individuals outside the organization?
__ Yes __ No
4. Physical Security. Are buildings, paper records, computer and network equipment and storage media within them properly secured from unauthorized access, tampering, damage, and/or theft by an intruder with malicious intent?
__ Yes __ No
5. Anti-Virus. Are all computer systems protected with up-to-date anti-virus software and other defenses against malicious software attacks?
__ Yes __ No
6. Internet Security. Are all dedicated connections to the Internet and other external networks properly documented, authorized, and protected by firewalls, intrusion detection systems, virtual private networks (or other forms of encrypted communication,) and incident response capability?
__ Yes __ No
7. Software Patches. Are security-sensitive software patches promptly applied to systems that are accessible to users outside of your advisory firm?
__ Yes __ No
8. Data Protection. Is sensitive, valuable information properly protected from unauthorized access?
__ Yes __ No
9. Business Resumption Plan. Does your advisory firm have a documented and tested business resumption plan for critical computer system and associated office support infrastructure that includes frequent system backups, off-site data backup storage, emergency notification, replacement IT and office resources, alternate facilities, and detailed recovery procedures?
__ Yes __ No
10. Portable Data. Does your advisory firm encrypt sensitive information stored on portable devices including laptop computers and smart phones?
__ Yes __ No
11. Telecommuting. Does your advisory firm ensure the safety of sensitive client information in remote or home offices?
__ Yes __ No
12. Data Security Breaches. Does your advisory firm have the ability to detect the unauthorized use of, or access to, sensitive client information?
__ Yes __ No
13. Training. Does your advisory firm have a program in place for training employees on the proper use of your firm’s computer security system, and the importance of information security?
__ Yes __ No
14. Due Diligence. Does your advisory firm conduct due diligence on the information security programs of third-party service providers?
__ Yes __ No