Which is worse, not having a written cybersecurity policy or having one that you don’t follow?

Your initial answer may be that it is always better to have a policy than to not have a policy. If you have a policy, at least you have something to show the auditor when they show up in the office. The real answer is that the difference is simply at what point in the cybersecurity audit you will fail.

With no policy, you will fail out of the gate, making the auditor’s job easy. A policy is required, and you don’t have one. With a policy you don’t follow, you will fail later as the auditor compares the policy with your cybersecurity practices and documents the gaps.

These types of gaps are often referred to as “audit traps.” It is a trap you have laid for yourself by claiming you perform an activity in the policy when in fact you don’t. Consider this requirement from an actual RIA cybersecurity policy:

‍

User accounts with no activity for 90 days will be reviewed by the appropriate system administrators to determine whether access is still required.

‍

This one sentence will likely produce the following four questions from an auditor:

1. Who are the system administrators reviewing the activity?
2. What is their process for reviewing user activity?
3. Where are your records demonstrating the accounts have been reviewed?
4. How many accounts have been disabled in the past year as a result of this process?

‍

No cybersecurity professional would argue that user accounts shouldn’t be reviewed for appropriate access. But there is no regulatory requirement that you must do it every 90 days. For example, the state of New York requires “periodic” reviews. In a small RIA without dedicated IT resources, reviewing account access annually and during employee terminations or responsibility changes is likely sufficient.

The broader point is that the above sentence creates a trap. You have promised to perform and document an activity. at a given interval. If you fail to do so, you will effectively fall into a trap you have laid, creating an unnecessary audit finding in the process.

‍

Why would we have audit traps?

Most cybersecurity policies start out life as a boilerplate or generic document. In the policy sample above, it would not be unreasonable for a firm with a dedicated Windows administration team managing an Active Directory environment to review access every 90 days. So, if your boilerplate document was targeted toward such a firm, such a requirement may well be in your policy. Consequently, your policy would be misaligned with your needs.

Policies are also intended to be living documents. They should be updated as required to reflect changes in the business (such as moving to cloud-based services), changes in the threat landscape, and regulatory changes. Outdated policies can create further audit traps or other audit risks.

‍

How to avoid audit traps

As C.S. Lewis wrote:

A sum can be put right: but only by going back till you find the error and working it afresh from that point, never by simply going on.

The solution is to go back to the beginning and freshen your cybersecurity program based on your current firm needs, regulatory requirements, and industry standards.
‍

The following is such an approach:

1. Review Your Current Policy
   Review your current policy, looking for audit traps and other gaps with your current cybersecurity practices. The goal is to align them and ensure you meet current regulatory requirements and avoid audit traps.
   An output of this review should be the identification of required audit artifacts. Such artifacts will be based on the requirements in the policy and typical artifacts requested by auditors.
   ‍
2. Perform Risk and Vulnerability Assessments
   The purpose of a Risk Assessment is to identify and analyze potential risks that could impact your firm. For example, Ransomware has created huge issues for businesses of all sizes, particularly in financial services. What processes and mitigations have you put in place to protect yourself against this risk?
   The purpose of a Vulnerability Assessment is to identify the computing assets that may pose a risk, identify weaknesses that may allow the loss of sensitive information, and then develop a plan to remediate the identified vulnerabilities.
   ‍
3. Perform a Personally Identifiable Information (PII) Inventory
   You are legally obligated to protect PII. Creating an inventory of where it is stored, who has access, and determine if adequate controls such as Multi-Factor Authentication or Encryption are in place is crucial for demonstrating your compliance with this obligation.

‍

Summary

A thorough evaluation of your cybersecury policy and current practices requires industry experience, technical expertise, and broad cybersecurity knowledge. Many general IT providers simply don’t have the breadth of experience to perform such an assessment. In such cases, a second set of eyes on your cybersecurity program can be extremely valuable.

Regardless of who performs the exercise, the primary goal is to ensure your cybersecurity policies are appropriately aligned with your business requirements, avoiding the self-inflicted pain of audit traps.

‍

Contact us now!

‍

Key Terms: Cybersecury, Cybersecury Policy