From time to time we have industry experts come on board to guest blog in order to provide our readers with interesting and insightful commentary. Today’s article is by Tom Young of EXENET, a leading IT consultancy.
Recent amendments to Regulation S-P has brought greater attention to high-profile cases where organizations are accused of failing to provide adequate customer information protections as outlined in Rule 30(a). For example: when an IT department fails to follow up on anti-virus problems or for leaving 5,000 customer records at the curb.
While clear situations of gross negligence are identifiable; compliance teams and COO’s may wonder if their IT policies and procedures are rigorous enough to prevent similar consequences. One such example of an air-tight password policy would be:
- Implement a policy which outlines the frequency of password change, sharing of passwords and accounts, password strength requirements, password history enforcement, session timeouts with mechanisms to automatically lock devices and/or accounts. Make sure the policy dictates how password reset requests are to be handled and include an incident response protocol in the policy.
- Create computer-based training modules for all employees to understand password policies and track user training. Require training for all new hires on the policy.
- Set controls within the technology infrastructure to force adherence to the policy and have the systems and data well-secured.
- Run various audit reports for and check for intrusion activities against the password store on a periodic basis. Document your review meeting notes as evidence of periodic reviews. Lastly, consider having someone else review your work.
The larger question remains –does your IT policy satisfy the requirements of 30(a)?