CyNtell has experience in the area of SEC compliance providing turnkey Cybersecurity solutions to small to medium sized financial advisory firms. We provide financial advisors support with network policy development, risk assessments, security evaluations, phishing & social engineering prevention, mitigation planning, incident response planning, BCP & COOP analysis, and Cybersecurity awareness training. Contact us today to receive details regarding the following family of solutions below.
Cybersecurity Program Management
The sad reality of today’s business environment is that every organization needs protection from intruders and hackers. Financial firms are definite targets of criminals and potentially terrorists. Firms need reliable, responsible and consistent support solutions to identify and mitigate threats, vulnerabilities, and potential attacks. CyNtell provides Cybersecurity Program Management to ensure that the firm’s policy is implemented and incorporated into the firm’s IT infrastructure and operational procedures. CyNtell will designate a Cybersecurity Specialist to be your firm’s adjunct Chief Information Security Officer (CISO) who directly manages all the aspects of the firm’s Cybersecurity program.
Let CyNtell take the burden and responsibility for an effective Cybersecurity program off of your shoulders. Let the expertise and experience of a professional services company be your firm’s Cybersecurity department. Our solution is to make mitigation and monitoring practices transparent yet effective for your firm so that you can do what you do best while trusting that your firm is protected and compliant.
FINRA guidance indicates that financial advisory firms perform a risk assessment as the baseline for Cybersecurity policy development. The results of an assessment determine the mitigation strategy defined in the developed policy. It demonstrates proper due diligence by the firm’s Cybersecurity program. CyNtell uses the published FINRA Small Firm Checklist to create a baseline of the firm’s risk profile. The checklist has been heavily modified to incorporate NIST and ISO risk assessing guidance and best practices. Our experienced Cybersecurity consultants will use documentation and brief personnel interviews to obtain the necessary details about the firm’s business model, technology infrastructure and data processing. Every engagement concludes with a completed checklist and a risk assessment report (RAR) which illustrates the firm’s current risk profile.
Cybersecurity Policy Development, Validation & Refinement
The SEC requires that all financial advisory firms have a Cybersecurity policy. The SEC requires that the policy be customized and tailored to the firm’s business operations, and be the direct result of some form of risk assessment. CyNtell provides policy development services in conjunction with a risk assessment as a turnkey solution for SEC compliance. Our approach to policy development is derived from NIST guidelines and over a decade of examiners’ feedback during audits/ evaluations. We use a policy structure that clearly articulates the firm’s understanding of risk and the resultant mitigation strategy.
A Cybersecurity policy must be validated as proof that the mitigation strategy is being implemented operationally. The policy is validated in two ways: 1) documented evidence of due diligence and 2) through operational processes and procedures that implement policy directives and standards. Using Review, Inspection, Interviews, Observation, and Testing (RIIOT), CyNtell provides a validation assessment. Results are documented in a gap analysis report which can be used by the firm to demonstrate to an Examiner/ Evaluator that the firm’s policy is being implemented and monitored.
During policy validation, the Cybersecurity policy may be deemed out of line with the firm’s business model or IT architecture. CyNtell’s consultants have the expertise and business acumen to recommend remediation to address inconsistences. To refine a firm’s policy, our consultants will review the risk assessment, gap analysis, and firm business practices to right-size the policy to the firm’s risk profile.
Mitigating risk involves administrative, technical, and physical controls. Implemented controls should be tested periodically to ensure they are meeting the intended protection objectives. CyNtell provides both vulnerability assessments and penetration testing to validate a firm’s controls. A vulnerability assessment is a passive review of control sets. this will cause little, to no, disruption to the firm while producing an understanding of existing vulnerabilities. A penetration test is an active scan and simulated attack on the firm’s controls in effort to provide a real-case understanding of the impact of an exploitation. Our consultants are certified and Licensed Penetration Testers with expertise in industry-accepted methodologies.
In phase I, a credentialed CyNtell Cybersecurity analyst will perform a review of the firm’s IT documentation, and systems’ hardware and software inventory to determine potential areas of vulnerability. In phase II, the analyst will use a toolset, in example Metasploit, to validate potential IT areas of vulnerability. Our analyst will also conduct social engineering drills (in example: impersonation, phishing and dumpster diving) to assess the physical aspects of the firm’s protection. The outcome is a documented list of vulnerabilities, associated impacts, and recommended remediation.
In essence, this is phase III of a security assessment. It involves a CyNtell Cybersecurity analyst using hacking tools and penetration testing methodology to simulate a malicious attack on the firm’s IT systems. Our analyst will simulate attacks including DoS, and data theft and destruction. Depending on the circumstances and firm’s requirements, a physical penetration test can be conducted to simulate an attack focused on theft of PII and corporate espionage by an intruder. The outcome is a documented list of vulnerabilities, exploitation threat vectors, work factors for exploits, associated impacts, and recommended remediation.
Should your firm become a victim of a malicious attack from an external party, or realize a threat from an insider, CyNtell can provide digital forensic expertise. Our forensic analysts are Certified Hacking Forensic Investigators with the skills to respond to such incidents, and uncover and preserve evidence in accordance with the law. We use state of the art tools such as ENCASE to ensure that data is collected with the highest levels of completeness and integrity, which are required by most courts for evidence admissibility. The outcome is a document detailing the probable origin and events of attack, and evidence collection and analysis.
People are the key to more secure environments, systems and networks. In the three-tier Cyber architecture (People, Process, and Technology) the “people” are the basis by which higher levels of security are achieved. Therefore, almost every standard for the development of a Cybersecurity program specifies that an organization must provide some form of security awareness to its employees. CyNtell understands that a creative, interactive and audience-appropriate awareness, training and education program is critical to security. We will partner with your firm to develop and deliver such a program to ensure that people understand organizational policies, their IT security responsibilities, and how to properly use and protect enterprise resources. Our approach for small firms is to alleviate the burden by providing a standard set of awareness activities to meet the requirements of most Cybersecurity policies. To that end, the firm’s personnel will receive:
- A monthly email inviting them to view the CyNtell Security Awareness Blog (contributed monthly)
- A quarterly Security Awareness Newsletter
- And a live, 90 minute, semi-annual security awareness webinar or live presentation.
Our security awareness activities are based on NIST SP 800-50, and, if requested, are customizable to fit a firm’s specific requirements.
Cybersecurity Protection Subscription (CPS)
Cybersecurity is a complex, technical industry just like financial advising. Experience and expertise are critical factors of success. At CyNtell, we take ownership of our solutions and services and know that what we provide is steeped in sound methodology. The threat and risk landscape is ever changing. CyNtell is vigilant and relentless in protecting our customers from malicious attacks, insider threats, and disruption. Therefore, we have created this Cybersecurity Protection Package to continuously maximize our partnership and minimize your risk. As part of the CPP, CyNtell will designate a Cybersecurity Specialist to be your firm’s adjunct Chief Information Security Officer (CISO) who directly manages all the aspects of the firm’s Cybersecurity program and provides guidance and support to your staff regarding protection and compliance. Your designated Cybersecurity Analyst is available 24/7 for consultation.
The Cybersecurity Protection Package includes the following solutions: