Editor’s Note: This is the third in a series about the guidance the Department of Labor’s Employee Benefits Security Administration (EBSA) issued on April 14 concerning cybersecurity. The first is here; the second is here.
The Department of Labor’s Employee Benefits Security Administration (EBSA) on April 14 issued comprehensive guidance on cybersecurity from a variety of perspectives. This includes in-depth guidance on best practices to follow when seeking to protect the security of retirement accounts and plan data—and part of that is establishing and maintaining control.
Access Control
The DOL recommends setting strong access control procedures in place. Controlling access, EBSA says, helps guarantee that users: (1) are who they say they are; and (2) have appropriate access to IT systems and data. EBSA suggests the following as best practices for access control:
- Access: Limit access to systems, assets and associated facilities to authorized users, processes, devices, activities and transactions. Limit access privileges based on an individual’s role and follow a need-to-access approach. Review access privileges at least every three months.
- Old accounts: Disable and/or delete accounts when necessary; use multi-factor authentication wherever possible.
- Implement controls: Implement (1) policies, procedures and controls to monitor the activity of authorized users and detect unauthorized access, use of, or tampering with, nonpublic information and (2) procedures to ensure that any sensitive information about a participant or beneficiary in the service provider’s records matches what the plan maintains. Confirm the identity of the authorized recipients of funds.
Review Cloud Control
Make sure that assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments, the DOL suggests. “Cloud computing presents many unique security issues and challenges,” EBSA says, and explains that “In the cloud, data is stored with a third-party provider and accessed over the internet. This means visibility and control over that data is limited.” EBSA argues that making sound decisions regarding a cloud service provider requires understanding the provider’s security posture, and that best practices for doing that include:
- Requiring a risk assessment of the provider.
- Defining minimum cybersecurity practices.
- Periodically assessing a provider based on potential risks.
- Ensuring that guidelines and contractual protections at least address: (1) access control policies and procedures, including the use of multi-factor authentication; (2) encryption policies and procedures; and (3) the provider’s notification protocol when something happens that affects a customer’s information system(s) or nonpublic information.
Best Practices
Set strong technical controls in place that implement best security practices, the DOL suggests. It argues that technical security solutions primarily are implemented and executed by an information system through mechanisms contained in the hardware, software or firmware components of the system. The DOL enumerates the following as best security practices for technical security:
- up-to-date hardware, software and firmware models and versions;
- vendor-supported firewalls, intrusion detection and prevention appliances/tools;
- antivirus software that is current and regularly updated;
- routine patch management (preferably automated);
- network segregation;
- system hardening; and
- routine data backup (preferably automated).
Next: Systems
- Log in to post comments