Updating Policies and Procedures for Network Storage When Safeguarding Customer Records and Information
Employing network storage solutions, including security features offered by third-party cloud-storage providers, to safeguard customer records and information has increasingly become a part of many broker-dealer and investment adviser business operations. When designing, implementing, and/or reviewing a firm’s compliance policies and procedures, a firm should verify their policies and procedures are customized to effectively implement oversight of the network storage solution. During recent examinations of firms, the Office of Compliance Inspections and Examinations (OCIE) has identified multiple security risks associated with the storage of electronic customer records and information when using network storage solutions.
In a recent risk alert, the OCIE staff provided a brief summary of their observations and noted a few compliance concerns stemming from the observations. The specific concerns they outline are misconfigured network storage solutions, inadequate oversight of vendor-provided network storage solutions, and insufficient data classification policies and procedures.
The OCIE staff indicated that firms having effective storage practices customized their policies and procedures to address the implementation of the network storage solutions, including security features offered by third-party cloud-storage providers. In addition, firms implemented customized guidelines and security controls to ensure the system was configured correctly. In addition, many of the firms had a process to periodically review vendor management policies and procedures.
To see the Risk Alert, click here
By: Scotty Franks, Red Oak Senior Compliance Consultant