Cyber Security Audit Checklist PDF

Cybersecurity refers to the protection of investor and firm information and systems from cyber intrusions (and any unauthorized access). It includes creating processes for responding and recovering from incidents.

Firms will need to identify and inventory their information assets, assess how compromised assets would impact customers and the firm, and formulate an action plan in case anything happens to compromise them.

1. Inventory of assets
Maintaining an inventory of your company’s information and systems is one of the key components of an effective cyber security program. Doing this will allow you to prioritize vulnerabilities and risks as well as anticipate threats that might appear and assess their likelihood.

Ransomware is a prime example of an emerging threat that requires vigilant defense, locking user data or systems and demanding payment to gain access. Other threats may include phishing, denial-of-service attacks and malware which steal information, track activities or damage files.

Third-party vendor cyber security compliance should also be assessed; third-party vendors often hold considerable data that your firm needs protected, so their ability must be thoroughly scrutinized. In addition, review your incident response plan to make sure there is an escalation matrix and communication plan clearly laid out in place.

2. Security policies
Before going in for an external audit for certification against a framework or even conducting an internal audit to keep tabs on your security posture over time, it is vitally important that your information systems understand which threats they must defend against – from cybercriminals looking for money and customer data, to nation states seeking espionage opportunities to control critical infrastructure.

Be sure that your firm has policies in place to raise awareness, guard against intrusions (and unauthorized access), detect when its assets have been compromised and create a plan to recover lost, stolen, or unavailable assets. Firms should also prepare incident responses to respond quickly in cases such as loss of customer personal data, network intrusion, DDoS attacks, or malware infections that they anticipate occurring.

Cyber Security Audit Checklist PDF The final section of a cyber security audit checklist covers steps taken by firms to identify gaps in their security infrastructure, and close those gaps. For instance, if it becomes evident that not all employees have devices enabled with automatic software updates enabled, remediation plans can be created that include installing device management tools with compliance deadlines set as part of this plan.

3. Risk assessment
Cybersecurity threats are an ever-present risk, so it’s imperative that your information systems and processes undergo an audit in order to identify any issues which could potentially harm your business and take steps to remedy them. An audit may not be cost-effective but is still far better than facing data breach costs directly.

Firms conducting risk evaluations will inventory their information assets, evaluate the adverse impact to customers and themselves if these assets were compromised, assign risk severity levels to each asset and then assess protection effectiveness (password requirements, malware protection or firewalls) against specific vulnerabilities.

After conducting a vulnerability assessment, firms will create a strategy for strengthening security infrastructure and seek management approval before proceeding with implementation. This ensures that companies have taken measures to minimize risks and safeguard their most essential assets.

4. Security measures
Establish a team dedicated to monitoring, maintaining and improving cyber security measures. Be sure to clearly outline each team member’s roles and responsibilities – from senior management down to entry-level workers – so everyone understands what needs to be done to prevent information breaches or cyber threats.

Your firm should regularly update its systems to protect itself against vulnerabilities and malware attacks, such as strong passwords that avoid phishing attempts. In addition, ensure physical devices in offices and server rooms are secured from unauthorised access, natural disasters and other risks.

FINRA’s cybersecurity checklist is intended to aid small member firms in meeting their regulatory obligations; however, it cannot ensure compliance with FINRA rules or federal securities laws. Therefore, it’s essential that firms tailor the checklist according to their size and risk profile – and seek technology assistance from industry trade associations, peer groups or their FINRA Risk Monitoring Analyst.