Digital Assets Report


Like this article?

Sign up to our free newsletter

Nine steps to create an information security plan

Related Topics

By Olivia Munro – In today’s changing regulatory and investor landscape, Information Security Plans are critical for hedge funds and investment management firms to comply with SEC regulations, due diligence requests and state laws. In our recent webinar, we had our in-house information security experts weigh in on Information Security Plans: what they are, why they are important, and the nine steps your firm can take to create one.

What is an Information Security Plan and Why Have One?

An information Security plan can take on many forms, but generally it is a collection of policies and procedures around your information and data security. Some plans encapsulate all firm policies and procedures relating to data, and others work on a high level to give visibility and appease regulators. It is important to note that there are different ways to approach and prepare a firm for cybersecurity related risks and regulatory requirements to the business. Having an Information Security Plan is crucial because it is not a matter of if, but when, your firm will need a plan in place to react to an information security incident.

Nine Steps to Create an Information Security Plan:

  1. Regulatory Review and Landscape 

    All businesses have requirements, and your firm needs to know what is necessary from a regulatory perspective. Requirements can come from international bodies, federal agencies, state, or even industry specific bodies, inaddition to external pressures that can come from investors, auditors, and external partners.

  2. Governance Oversight and Responsibility 

    Everyone within your organization has a role in information security, but creating a (CISRT) Computer Information Security Response Team to make sure that all employees within the company follows policy can ensure internal compliance.

  3. Take Asset Inventories 

    Knowing what your organization has for both hardware and software can help you identify any potential vulnerabilities. This can be a manual process, but there are software applications and scanning tools that can make the process easier.

  4. Data Classification 

    Knowing what data is important and what needs to be protected, in addition to knowing where the information resides, who has access, how it is stored and transferred will help you write your policies and procedures.

  5. Evaluate Available Security Safeguards

    Firms need to be aware of what policies and procedures they currently have in place including what solutions and controls can be added by their IT vendor to enhance their security.  Be aware of what safeguards are available to assist you with your existing programs.

  6. Perform a Cyber Risk Assessment

    This will help you understanding the cybersecurity risks to the firm’s operations, functions, image, reputation, and assets. This doesn’t have to be overly complex or robust, your firm can start with the basics and evolve as you grow.

  7. Perform a Third-Party Risk Assessment 

    Reviewing critical vendors on an annual basis is crucial to see if any of their practices or policies have changed. Have a checklist in place to make sure you are establishing acceptable guidelines to send to vendors.

  8. Create an Incident Response Plan

    These plans need to be realistic to your firm specifically and the vendors that have a stake in your response. Engage other parties internally such as IT, Operations, and HR, as well externally, such as service providers and third-party vendors, clients, and regulators when you create this plan.

  9. Training and Testing Employees

    Make your employees an asset instead of a threat by training and testing your employees. Reviewing internal roles and responsibilities within the firm and having training and testing throughout the year can provide more opportunity for people to have learning opportunities.

There is no time like the present to start developing an Information Security Plan, and all firms that are registered with the SEC are required to have one. For more information or a consultation, contact Eze Castle Integration.

Like this article? Sign up to our free newsletter

Most Popular

Further Reading