Skip to main content

You are here

Advertisement

Cybersecurity Best Practices, DOL Style: Systems

BY
John Iekel
May 19, 2021
Practice Management

Editor’s Note: This is the fourth in a series about the guidance the Department of Labor’s Employee Benefits Security Administration (EBSA) issued on April 14 concerning cybersecurity. The first is here; the second is here; the third is here.

The Department of Labor’s Employee Benefits Security Administration (EBSA) on April 14 issued comprehensive guidance on cybersecurity from a variety of perspectives. This includes in-depth guidance on best practices to follow when seeking to protect the security of retirement accounts and plan data—and part of that is developing and using systems to help in that endeavor.  

Secure System Development Life Cycle Program (SDLC)

EBSA says that a secure SDLC process ensures that security assurance activities such as penetration testing, code review and architecture analysis are an integral part of the system development effort. EBSA enumerates the following as best practices in this regard: 

  • Procedures, guidelines and standards which ensure any in-house applications are developed securely. This, they say, would include such protections as: 
    • configuring system alerts to trigger when an individual’s account information has been changed. 
    • requiring additional validation if personal information has been changed before requesting a distribution from the plan account; and 
    • requiring additional validation for distributions (other than a rollover) of the entire balance of the participant’s account. 
  • Procedures for evaluating or testing the security of externally developed applications including periodic reviews and updates. 
  • A vulnerability management plan, including regular vulnerability scans. 
  • Annual penetration tests, particularly regarding customer-facing applications.

Encryption

EBSA also suggests encryption of sensitive data that is stored and in that is transit. “Data encryption can protect nonpublic information,” says EBSA, adding, “A system should implement current, prudent standards for encryption keys, message authentication and hashing to protect the confidentiality and integrity of the data at rest or in transit.” 

Next: Looking Ahead

You might want to check out…

Aligning Retirement Benefits and Employees’ Needs
4/19/2024
John Iekel
How Retirement Fluency and Retirement Confidence Go Hand in Hand
4/19/2024
Ted Godbout
Planes, Trains, and AI-mobiles: Journeying into AI's Future
4/19/2024
Joey Santos-Jones
0 Comments
Discussion Policy

Advertisement

Most Popular

State-Sponsored Savings Programs Reach $1 Billion in Assets
12 Key Elements in the IRS SECURE 2.0 'Grab Bag' Notice
IRS Releases Q&A Guidance on Key SECURE 2.0 Provisions
High-Profile Retirement Plan Policy Experts Join State Plan Push
Biden Administration Officially Unveils Retirement Security Rule Proposal

Recent Headlines

Planes, Trains, and AI-mobiles: Journeying into AI's Future
How Retirement Fluency and Retirement Confidence Go Hand in Hand
Aligning Retirement Benefits and Employees’ Needs
FY 2023 a ‘Transitional Year’ for the IRS, Says Werfel
No ‘Magic’ in These 401(k) Retirement Numbers

Recent Comments

2024-2 SECURE 2.0
Is there a link to the survey?
Great article. Ending made me laugh, even on 3-13, and despite the seriousness of the subject.
On her X {Twitter} account, Teresa Ghilarducci issued a flat denial on 5 March 2024 saying she...
Despite claims in the article, I am familiar with more than a few who “replace a very high...