The Office of Compliance Inspections and Examinations of the Securities and Exchange Commission has published examination observations on cybersecurity and operational resiliency. OCIE’s purpose in sharing the Observations is to enable market participants to incorporate good practices in the fields of risk management, data loss prevention, incident response, mobile security, access rights and controls, and risk management. For each of these topics, the Observations cite industry best practices and describe tools and processes that can be used by companies to ensure compliance. For example, in the area of data loss prevention, the Observations list the measures an organization should employ: vulnerability scanning, perimeter security, detection capabilities, hardware and software inventories, patch management, encryption and network segmentation, insider threat monitoring, and legacy systems security. In other areas, training and testing figure prominently in the strategies presented. In conclusion, the OCIE encourages organizations to assess their cybersecurity practices in seven key areas: governance and risk management, access rights and controls, data loss prevention, mobile security, incident response, vendor management, and training.
SEC press release | OCIE Cybersecurity and Resiliency Observations