Pub. 4 2015 Issue 9

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 32 CYBERSECURITY AWARENESS By Charles Laughridge, BKD, LLP claughridge@bkd.com O CTOBER MAY BE NATIONAL Cybersecurity Awareness Month, but in the financial industry, cybersecurity is a top business priority every day. Financial institutions are the most frequently targeted industry for cyberattacks. There are many types of attacks, from hacking to distributed denial of service (DDOS) attacks, malware injections, social engineering and unauthorized use of computers, to name just a few. Attacks are highly sophisticated and more frequent, and they originate from both internal and external sources. The National Institute of Standards and Technology defines cybersecurity as “the process of managing cyber threats, vulnerabilities, protecting information and information systems by identifying, defending against, responding to and recovering from attacks.” Every organization should consider these 10 questions to determine if it has gaps in its cybersecurity program. 1. Do I know where our organization’s data is stored? Maintaining an information asset inventory, including all relevant assets that store or transmit sensitive data, serves as a foundation for identifying potential vulnerabilities. 2. Is our organization working to improve existing security controls? Ensure existing security configuration settings on all hardware and software applications are enabled to protect confidential and sensitive information through the following: • System/device hardening • Strong password controls • Limiting administrative privileges • Granting only minimum required access to perform job responsibilities • Monitoring user access and activity 3. Does our organization have clearly defined and communicated data access policies? Policies and supporting procedures must exist for the creation, modification and termination of user access to applicable networks, operating systems, applications and databases. These should include: • Screening and background checks on all prospective employees prior to employment • Documentation of network and application changes with standard change management procedures • Thorough and timely access removal for terminated employees • Limiting of vendor access to network and applications 4. Has our organization implemented data loss prevention controls? Limit access to removable media, CD-ROMs, email and file transfer websites through: • Group policies and existing software such as content filtering and email filters • Implementation of a formal, well-planned policy that encompasses device use and information disposal