OCIE Focusing In On Cybersecurity Exam Initiatives:

The SEC’s top 6 priorities, and how working with an IT services provider ensures your firm is fully prepared

With the Securites and Exchange Comission’s Office of Compliance  release of cybersecurity summary reports and exam intiatives, many financial services firms are being forced to reprioritize cybersecurity in preparation for potential SEC exams.

Without the right technology services partner in place, the initiatives are daunting, and getting started can feel overwhelming. Just look at the numbers.

In its summary report of those examinations, released in February of 2015, the OCIE stated that of those organizations it examined, 88 percent of the broker-dealers and 74 percent of the RIAs had experienced a cybersecurity incident recently.

This year, OCIE followed up with the Examination Priorities for 2016, where it was confirmed that in 2016 emphasis will be placed on testing how firms have implemented the procedures and controls initially examined in 2015.

The OCIE further announced that it planned to focus on cybersecurity compliance in its 2015 Examination Priorities. Last September, the office released the 2015 Risk Alert providing compliance guidance for industry entities that might be subject to examination.

Following a string of high-profile cybersecurity incidents in recent years, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) kicked off the latest push when it released a Risk Alert in April of 2014 for relevant industries. Additionally, OCIE announced its intention to conduct examinations throughout the year to assess cybersecurity procedures and preparation in the securities industry.

In its summary report of those examinations, released in February of 2015, the OCIE stated that of those organizations it examined, 88 percent of the broker-dealers and 74 percent of the RIAs had experienced a cybersecurity incident recently.

The OCIE further announced that it planned to focus on cybersecurity compliance in its 2015 Examination Priorities. In September, the office released the 2015 Risk Alert providing compliance guidance for industry entities that might be subject to examination.

OCIE 2015 Cybersecurity Examination Initiative Priorities

OCIE examiners will pursue investigations into any area they deem necessary, but the 2015 Risk Alert highlights examination priorities in the following six primary areas:

1. Governance and Risk Assessment

The OCIE may examine whether companies have existing processes and procedures for cybersecurity and risk assessment. Examiners may also seek to determine whether your firm regularly reviews those procedures for efficacy and suitability to its own industry, along with how effectively high-level leadership is informed of, and participates in, those efforts.

The OCIE further highlights its intention to scrutinize compliance in areas regarding the following:

• Information security when dealing with third parties
• Software patching, especially regarding critical security updates
• Board minutes and briefing documents containing or related to sensitive information and cybersecurity
• Your firm’s chief information security officer (CISO) or equivalent position
• The firm’s organizational structure as related to cybersecurity
• The firm’s procedures for risk assessment, proactive threat identification, penetration tests, and vulnerability scans

2. Access Rights and Controls

The examiners will emphasize cybersecurity risks stemming from access to systems and information, especially related to basic safeguards like multifactor authentication and prompt access adjustments following personnel changes.

The OCIE notes its intention to highlight concerns related to the following:

• Controls and safeguards for network segmentation and access levels across different security clearances
• Perimeter-facing procedures such as failed logins, password retrieval, dormant accounts, and unauthorized logins
• Network access from outside devices
• The firm’s documentation and dissemination of its cybersecurity procedures to all relevant users

3. Data Loss and Prevention

OCIE examiners will assess your firm ‘s procedures for data transferred outside of the network through emails or other data uploads.

Examiners may highlight procedures for the following:

• Identifying and preventing unauthorized data transfers
• Verifying the authenticity of requests to transfer funds
• Mapping data to verify information ownership and privileges
• Data classification and security levels

4. Vendor Management

As third-party vendors are a prominent source of cybersecurity incidents, examiners may focus on vendor management, including how vendors are chosen, vetted and monitored. Examiners may also ascertain whether your firm considers vendor security to be an integral component of its overall cybersecurity procedures.

The OCIE additionally highlights the importance of clear vendor contracts regarding security responsibilities, along with documentation for all related areas, and your firm ‘s contingency plans for dealing with vendor-related breaches.

5. Training

Security procedures are only as effective as the training received by relevant personnel, including third-party partners. Therefore, examiners may verify that such training is thorough, widespread, and well documented.

6. Incident Response

The OCIE will examine your firm ‘s policies and procedures for responding to incidents, including documentation of the same, along with how policies are adjusted (when appropriate) following those incidents.

Examiners may further highlight procedures related to the following:

• How cybersecurity fits into your firm ‘s business continuity plan
• Your firm ‘s testing and drilling procedures for cybersecurity incidents and all data disasters
• System-generated alerts to automatically notify key personnel of potential incidents
• Actual customer losses related to cybersecurity incidents

Recommended Actions

Ultimately, the OCIE’s examination priorities reveal that it considers the cybersecurity status quo to be ill-suited to modern realities.

With PCIE’s release of the 2016 Examination Priorities for 2016, it was reiterated that the priority placed on cybersecurity compliance and controls will be further emphasized throughout the year.

This will most likely be seen through testing and the assessment of of how firms have implemented and integrated technical procedures and controls into their office technology environments.

Simply put, instead of a reactive, incident-based response, the OCIE wants firms to demonstrate that they have adopted a proactive, holistic stance regarding cybersecurity and workplace technology management.

Your firm ‘s default mindset should be that it is under threat from cyber-intrusions, and it should be able to demonstrate through robust documentation and actual practice that it is actively on alert for cybersecurity incidents.

To achieve this goal, your firm needs to ensure that it is working with an IT services provider that can serve as a full partner in security initiatives and procedures. Financial technology support partners can work with firms to establish, demonstrate and document its procedures in these four key areas:

1. Data Protection

Your firm must be able to rank all data according to a risk hierarchy (low, medium, high) and operational priority. Cybersecurity procedures should be strengthened accordingly, with the highest risk and highest operational priority data being subject to robust, multi-layered safeguards.

2. Proactive Security

Furthermore, your firm should implement, document and demonstrate a clear commitment to vigilant, proactive monitoring of security risks. Relevant procedures should be a top priority for all related personnel, and the firm should have a clearly understood process for how cybersecurity incidents will be identified, addressed and mitigated at all levels of the organization.

3. Cyber-Perimeter

Additionally, firms are expected to be able to demonstrate a clear understanding that its cyber-perimeter extends into the world of third parties, including vendors, partners and customers. Its procedures and practices for that outlying perimeter should be just as robust (if not more so) as its procedures for in-house data sites.

4. Documentation

Top 5 Ways for Insurance Firms to Reduce Operational Costs by Using Managed IT Services

1. Increased Employee Productivity

Experts estimate that up to 80 percent of unplanned technology outages are caused by poor administrative IT planning. These hours of downtime cost the least effective companies millions each year. Downtime caused by outdated equipment, network issues, and employee confusion can be significantly minimized with the right technology and appropriate employee training.

2. Predictable Recurring Costs

Unplanned technology costs can be challenging for insurance agencies. The experience of having to hire a contractor for an emergency fix can be incredibly expensive. By choosing to hire managed IT support, insurance agency owners can include a predictable monthly cost in their annual budgets. This is much easier for you to plan for than unexpected, high-dollar invoices for outages.

3. Proactive Maintenance

Managed IT services offer the benefit of expert support for maintenance. Proactive maintenance is critical to preventing unplanned outages and technology issues. In many cases, regular proactive maintenance is sufficient to prevent downtime and system issues, and the accompanying loss of productivity.

4. Expert Upgrade Advice

Did you know that the most common software selection tactics used by SMBs are actually highly ineffective? The process of choosing technologies is much simpler with expert guidance. Managed IT services for insurance understand your business and your industry. Experts who work with your company are able to offer far more personalized guidance than typical self-guided research processes.

5. Increased Information Security

The average cost of a cyber crime attack is 11.56 million dollars. Businesses who suffer a data breach are held fiscally responsible for notifying clients, which can devastate SMB brands. Managed IT services can provide in-depth assistance and expert guidance to help keep your information secure, including network protection and crucial employee training. Information security is a critical part of doing effective, ethical business in the technology age.

INTRODUCTION:

An image post uses a visual element as the centerpiece of your post, such as a SlideShare presentation, infographic, comic, or high-resolution images.

Use your introduction to provide a caption for your image(s). Why is it valuable? What’s the point? Image posts don’t require a lot of text, so choose your words wisely.

Here are some examples of how we use Visual blog posts here at HubSpot:

BODY:

After just a few lines of introductory text, insert the visual.

Call out the most important elements of the visual. Include “Tweet this!” links that mention key points and vital takeaways from your visual.

CONCLUSION:

Now it’s time to say goodbye and wrap up your post. Remind your readers of your key takeaway, reiterate what your readers need to do to get the desired result, and ask a question about how they see the topic to encourage comments and conversation. Don’t forget to add a Call-to-Action!

Congratulations! What a lovely image post you’ve created.

Dual Customer Focus – Healthcare IT Best Practices That Benefit Patients and Employees Alike

While many organizations place the heaviest emphasis on customer experience, the focus of healthcare information technology must seek to serve the needs of two different bases: both employees (your internal customers) and patients (your external customers).

If you’re looking to please both crowds, keep in mind the following healthcare IT principles and practices.

Keep Patient Health Data Readily and Securely Available While Staying Aligned With ePHI and PHI Regulations

Patients may choose to receive and access their personal health information using a variety of media and device options. When identifying the right healthcare technology solutions, you must ensure that data can be securely accessed, be it via mobile devices, home computers or even through printed or scans of prior paper documents.

At the same time, each of these methods of access can translate into a need for additional healthcare information security precautions. Caregivers also need to have the same abilities to access information in order to respond to patient queries in the timeliest manner possible.

Now consider how much time could be saved if an out-of-office practitioner could easily and reliably access a secure patient snapshot from outside of the office… With an estimated 33% of healthcare employees working outside of the office at least once a week, it comes is little surprise that healthcare IT security specialists have named “Employee-provisioned devices (laptops, smartphones, and tablets for business use” as one of the, “Top 3 Security Risks for US Healthcare Security Decision-Makers.”

Once your organization has the right network infrastracture and security measures in place, those previous access issues no longer need to be escalated, diverted or put on hold until Monday.

Dependable, readily-accessible access from remote locations also provides safeguards to ensure that your access to mission-critical information isn’t solely dependent on a singular in-house resource who could be out on vacation or taking a sick day when you need them the most. When access is severely limited (possibly even to one person or position), your organization’s ability to become aware, identify, respond to any technical issues, can easily be clotheslined by your single point of failure.

Instead of placing all of your eggs in one basket, having a fully trained team of IT professionals ready to help your users and physicians whenever a problem arises is one of the many benefits of working with California Bay Area IT services firm.

Information Dissemination and Multiple Accessibility Options

Patient information technology has developed at different rates. In-office computerized patient record systems came into common use years before many practices invested in patient-facing electronic health records.

However, when portals and office are using a mix of multiple different record systems and methodologies, communications can easily become much more complex or difficult than necessary. With that in mind, special care must be taken to help ensure that your organization properly communicates to align its patient record methodologies with one another.

A key component of this process is ensuring that patient information such test results, prescribed medications and prior procedures are dependably accessible to internal customers with the right role-based access rights—from nurses, to medical assistants and even to medical aides— your record system must be capable of mirroring the medical information available to the patients themselves. After all, successful patient engagement often hinges upon information availability and transparency, as well as timely communication.

Respect Your Time and Your Patients’ Time

Precious time is often wasted updating routine health information at the start of appointments. With the availability of next-level technology, simple yet crucially time-saving requests such as having patients update their records from home prior to appointments, can be implemented and managed electronically.

Furthermore, practice-supplied tablets can and increasingly are being handed to patients upon check-in, with configurations primed to walk patients through customized questionnaires based on each provider’s informational needs and preferences. In many instances, this same software can then alert the caregiver to changes and prompt on-target discussion.

The most beneficial healthcare IT solutions for your medical practice are those that are equally beneficial to both health professionals and caregivers alike. From mirrored portals to accessible data and optimized in-office time, practices can heighten both patient and employee satisfaction while upgrading overall practice operations and efficiency with help from the right healthcare IT services provider.

A common challenge system administrators face is having to choose if they will allow Apple-based systems into their computer networks. While there are many pros and cons to weigh, one easy way of working around this challenge is to add a Mac OS X operating systems to your domain.

Adding an Apple-based system allows users to log in to network drives, and use the Active Directory (AD) to set or reset passwords and accounts.

What Does This Guide Teach Me?

It’s always exciting to get a new computer, and whenever one of your people gets a new Mac, they are probably chomping at the bit to get started! In order to make sure they are properly setup, you will need to know how to add Apple computers to your domain. That’s why we’ve created this step-by-step instructional blog post.

Adding A Mac Computer To Your Domain:

1. Go to Applications/System Preferences then click on the “Users and Groups” button.

2. Go to “Login Options” and then click on the padlock to open up the options to make changes.

3. Click on Edit next to Network Account Serve.

4. Click on the Open Directory Utility.

5. Click on the Padlock again to unlock your options.

6. In the window that pops up, click on the arrow to the left of the screen so that you can see all of the options.

7. MAKE SURE you click on: Create mobile account at login so that it creates a local profile for your account.

Failure to do so means you will need to constantly be on the domain in order to properly log in.

8. Next you will want to go to the Administrative tab (pictured below) and ensure that:

• “Allow Administration by” is checked
• All of your domain accounts have been added in.

Failure to do so will make troubleshooting later down the road more difficult

(This is because your default domain admin accounts will not have the proper rights)

9. Put your domain information in the options above.

*See the screenshots with the “justice league” examples listed above and below*

Active Directory Forest: JusticeLeague.com

Active Directory Domain: Justiceleague.com

Computer ID: TheFlash1

10. Now click on Bind. After the authentication screen, it should only take a few minutes for your Apple operating system to be properly bound.

11. You can now restart your system and log in with your active directory domain account.

And that’s it!