Table of Contents Table of Contents
Previous Page  393 / 537 Next Page
Information
Show Menu
Previous Page 393 / 537 Next Page
Page Background

Tips to Evaluate Your Firm’s IT

and Cybersecurity Management

by Brenda Piazza, Director of Management and IT Security, FS San Diego

Security breaches are increasingly being

reported in the news, with these events

causing damage to a company’s reputation,

incurring significant costs and creating

tremendous potential legal consequences.

This leads business owners, executives

and key personnel to ask how they

should be evaluating their security and

cybersecurity management to better protect

themselves against those risks.

Two primary considerations are: (1)

whether management has defined its IT

security requirements through policies, and

then communicated those policies to all

employees; and (2) whether management

regularly monitors and receives IT security

reports, or if management (other than IT) is

only made aware of catastrophic failures

when they occur.

How Do Your IT Practices Stand Up?

1. Are there written IT policies in place

around security, change management,

hiring and training? How are those policies

communicated to all employees, new

hires and contractors? Are there signed

acknowledgements of those policies?

2. Is there employee and contractor

training on IT security, including their

responsibilities for changing passwords,

securing laptops while off-site and

management’s expectations of securing

removable media?

3. Is a formal IT risk assessment

performed at least annually to understand

where the risks are in IT security?

4. Are there logical access controls

for granting, changing and revoking

permissions to applications, networks,

remote access, wireless access, etc.? Is

there an internal/external penetration test

performed by a third-party firm to identify

possible vulnerabilities in your network and

“back doors” in the vendor code?

5. Do you know when there is a potential IT

security incident or hack into your firewall?

Do you have a written business continuity

or disaster recovery plan in place that is

tested annually?

6. Do you perform daily backups of

production and test data and store the

encrypted backups off-site? Do you perform

restores of data from backup media to

verify the backups can be recovered?

7. Do you have formal change management

procedures in place for the approval,

developer assignment, testing of the

change in a test environment and

movement into production by someone

other than the developer?

8. Is there physical security into the

building such as visitor logs, badge access

cards and limited access into the server

room? Is access restricted to an off-site

hosted data center?

9. Have you read your customer

contracts and renewals to consider their

requirements regarding data classifications,

what constitutes a breach and what your

contractual obligations are for reporting to

them, should a breach occur? Do you know

your legal requirements and timing of those

requirements (by state) should a security

breach occur?

Only through monitoring of IT security

practices can you truly reduce the likelihood

of becoming the next big IT security breach

“headline.”

the adv | February 2016

Congratulations to

Emily Noll

who

has been promoted to CBIZ National

Director of Wellness Solutions.

Polly Thomas

has been named among

the Top 40 under 40 by

Business

Insurance

magazine.

Cindy Mull

was named as a finalist for

Business Woman of the Year by

Tampa

Bay Business Journal.

Moira House

was named HR

Practitioner of the Year by Memphis

Chapter of the Society for Human

Resource Management.

The National Academy of Public

Accounting Professionals has named

Michelle Spriggs

a Top 10 Accountant.

Congratulations to

Megan Murdock

who was named to the “Top 40 Under

40” list by the

Memphis Business

Journal.

CWA Snaps

5

97

1 388 389 390 391 392 393 394 396-397 398-399 400-401 402-403 404-405 536-537  FlippingBook