Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource...
Transcript of Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource...
![Page 1: Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource Security 6. Physical and Environmental Security 7. Communications & Operations](https://reader033.fdocuments.net/reader033/viewer/2022060311/5f0ab28b7e708231d42ce547/html5/thumbnails/1.jpg)
Cyber Security Disclosures
The SPARK Institute
![Page 2: Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource Security 6. Physical and Environmental Security 7. Communications & Operations](https://reader033.fdocuments.net/reader033/viewer/2022060311/5f0ab28b7e708231d42ce547/html5/thumbnails/2.jpg)
Presenters
Allison Itami Ben Taylor
![Page 3: Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource Security 6. Physical and Environmental Security 7. Communications & Operations](https://reader033.fdocuments.net/reader033/viewer/2022060311/5f0ab28b7e708231d42ce547/html5/thumbnails/3.jpg)
Contents
• Evaluating Cyber Security Today• Regulatory Environment
• Gramm Leach Bliley• Title V Privacy• ERISA• International Regulations• Governmental Plans• State Statutes
• Filling the Regulatory Void• Background• SPARK Data Security Oversight Board (DSOB)• Development Process• Framework Flexibility• Third Party Attestations
• SOC2• AUP
• Control Objectives• How It Works
• Tools for Plan Sponsors, Plan Consultants and Plan Attorneys
![Page 4: Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource Security 6. Physical and Environmental Security 7. Communications & Operations](https://reader033.fdocuments.net/reader033/viewer/2022060311/5f0ab28b7e708231d42ce547/html5/thumbnails/4.jpg)
Today’s Measure of Cyber Security
Adequacy
Behind Closed Doors
Evaluators Traditionally Not Trained as Experts
Destructive Information Cycle
![Page 5: Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource Security 6. Physical and Environmental Security 7. Communications & Operations](https://reader033.fdocuments.net/reader033/viewer/2022060311/5f0ab28b7e708231d42ce547/html5/thumbnails/5.jpg)
Regulatory Environment
Gramm Leach Bliley
ERISA
International Regulations
Governmental Plans
State Statutes
![Page 6: Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource Security 6. Physical and Environmental Security 7. Communications & Operations](https://reader033.fdocuments.net/reader033/viewer/2022060311/5f0ab28b7e708231d42ce547/html5/thumbnails/6.jpg)
Background & History
Proliferation of Questions
Intimacy of Questions & Secrecy of Answers
Refusal to Answer to Protect Other Clients
![Page 7: Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource Security 6. Physical and Environmental Security 7. Communications & Operations](https://reader033.fdocuments.net/reader033/viewer/2022060311/5f0ab28b7e708231d42ce547/html5/thumbnails/7.jpg)
Development Process
Collaborated
Examined Possibilities
Decided on an Approach
SPARK Data Security Oversight Board
![Page 8: Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource Security 6. Physical and Environmental Security 7. Communications & Operations](https://reader033.fdocuments.net/reader033/viewer/2022060311/5f0ab28b7e708231d42ce547/html5/thumbnails/8.jpg)
Third Party Attestations
First Priority
![Page 9: Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource Security 6. Physical and Environmental Security 7. Communications & Operations](https://reader033.fdocuments.net/reader033/viewer/2022060311/5f0ab28b7e708231d42ce547/html5/thumbnails/9.jpg)
Flexibility
Security Framework Flexibility• Agreement on a single
framework is not possible
• A single framework is NOT Desirable
• Diverse Frameworks make a stronger defense
![Page 10: Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource Security 6. Physical and Environmental Security 7. Communications & Operations](https://reader033.fdocuments.net/reader033/viewer/2022060311/5f0ab28b7e708231d42ce547/html5/thumbnails/10.jpg)
Easily Understood
![Page 11: Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource Security 6. Physical and Environmental Security 7. Communications & Operations](https://reader033.fdocuments.net/reader033/viewer/2022060311/5f0ab28b7e708231d42ce547/html5/thumbnails/11.jpg)
SPARK’s 16 Control Objectives
1. Risk Assessment and Treatment2. Security Policy3. Organizational Security4. Asset Management5. Human Resource Security6. Physical and Environmental Security7. Communications & Operations Management8. Access Control9. Information Systems Acquisition Development10.Incident & Event Management11.Business Resiliency12.Compliance13.Mobile14.Encryption15.Supplier Risk16.Cloud Security
![Page 12: Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource Security 6. Physical and Environmental Security 7. Communications & Operations](https://reader033.fdocuments.net/reader033/viewer/2022060311/5f0ab28b7e708231d42ce547/html5/thumbnails/12.jpg)
How It Works
Record Keeper Hires Third Party Independent Auditor
Auditor Uses SPARK’s 16 Control Objectives
Auditor Creates a SOC2 or AUP Report for Consultants and Plan Sponsors
Plan Consultant or Plan Sponsor Uses Report to Grade Record Keepers
![Page 13: Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource Security 6. Physical and Environmental Security 7. Communications & Operations](https://reader033.fdocuments.net/reader033/viewer/2022060311/5f0ab28b7e708231d42ce547/html5/thumbnails/13.jpg)
Next Steps
Communicate to Plan Sponsors, Consultants and Attorneys
Implement New Best Practice Disclosures for Cyber Security & Data Protection
Share with Retirement Community, Learn and Continually Improve the Process
![Page 14: Cyber Security Disclosures - Pension Research Council€¦ · 4. Asset Management 5. Human Resource Security 6. Physical and Environmental Security 7. Communications & Operations](https://reader033.fdocuments.net/reader033/viewer/2022060311/5f0ab28b7e708231d42ce547/html5/thumbnails/14.jpg)
Questions