Cybersecurity Best Practices, DOL Style: Setting the Groundwork

Editor’s Note: This is the second in a series about the guidance the Department of Labor’s Employee Benefits Security Administration (EBSA) issued on April 14 concerning cybersecurity. The first installment is here. 

The Department of Labor’s Employee Benefits Security Administration (EBSA) on April 14 issued comprehensive guidance on cybersecurity from a variety of perspectives. Cybersecurity is the goal, and now even more of an imperative since in that guidance, the DOL says that “responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.” The guidance offers best practices to follow, and that includes laying the groundwork that will make greater security of plans, accounts and assets—and the retirement of participants—possible. After all, a structure must have a firm foundation.

Sound Practices at the Core

Many general business practices that really are the essence of sound governance and responsible business practice also are applicable in establishing strong security policies, procedures, guidelines and standards. EBSA suggests considering the following as criteria in doing so: 

• Approval by senior leadership. 
• Annual review.
• Update policies, procedures, guidelines and standards as needed.
• Explain terms effectively. 
• Have policies, procedures, guidelines and standards reviewed by an independent third party auditor for compliance. 
• Document framework(s) used to assess the security of systems and practices.

Annual Risk Assessments

EBSA suggests conducting annual risk assessments. It argues that since threats to information technology are constantly changing, it is important to design a manageable, effective schedule for assessments that will identify, estimate, and prioritize risks to information systems. EBSA further suggests that organizations codify the risk assessment’s scope, methodology and frequency. It recommends that a risk assessment do the following: 

• Identify, assess and document how identified cybersecurity risks or threats are evaluated and categorized.  
• Establish criteria to evaluate the confidentiality, integrity and availability of the information systems and nonpublic information, and document how existing controls address the identified risks. 
• Describe how the cybersecurity program will mitigate or accept the risks identified. 
• Facilitate revising controls in response to emerging threats and changes in technology. 
• Keep current to account for changes to information systems, nonpublic information or business operations.

Third-Party Audit

EBSA indicates that it’s a good idea to not simply rely on internal resources to gauge how complete a cybersecurity plan is and how well the structure is functioning. They recommend having a reliable third party audit security controls annually. EBSA argues in favor of assessment by an independent auditor of an organization’s security controls that provides “a clear, unbiased report of existing risks, vulnerabilities and weaknesses.” 

EBSA expects that an effective audit program would include:  

• Audits and audit reports prepared and conducted in accordance with appropriate standards. 
• Audit reports, audit files, penetration test reports and supporting documents, and any other analyses or review of cybersecurity practices. 
• Documented corrections of any weaknesses independent third-party analyses identify.

Define Roles

EBSA suggests that information security roles and responsibilities be clearly defined and assigned. It argues that in order for it to be effective, a cybersecurity program must be managed at the senior executive level and executed by qualified personnel. It further suggests that a Chief Information Security Officer (CISO) generally would establish and maintain the vision, strategy and operation of a cybersecurity program.

EBSA argues that a cybersecurity program be performed by qualified personnel who meet these criteria: 

• current knowledge of changing cybersecurity threats and countermeasures
• sufficient experience;
• necessary certifications; 
• initial and periodic background checks; and 
• regular updates and training.

Regular Training

EBSA suggests that cybersecurity awareness training be conducted at least annually for all personnel; further, they suggest that the training content and program be updated to reflect risks the most recent risk assessment identified. 

“Employees are often an organization’s weakest link for cybersecurity,” says EBSA. They argue that “a comprehensive cybersecurity security awareness program sets clear cybersecurity expectations for all employees and educates everyone to recognize attack vectors, help prevent cyber-related incidents and respond to a potential threat.” 

Next: Stay in control.