Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Contents
• Background/History
• SPARK Data Security Oversight Board (DSOB)
• Development Process
• Regulatory Environment
• Framework Flexibility
• Third Party Attestations
• SOC2
• AUP
• Control Objectives
• How It Works
• Next Steps
Background &
History
Proliferation of Questions
Intimacy of Questions &
Secrecy of Answers
Refusal to Answer to Protect
Other Clients
Security Framework
Flexibility
• Agreement on a single framework is not possible
• A single framework is NOT Desirable
• Diverse Frameworks make a stronger defense
Control
Objectives
1) Risk Assessment and Treatment
• The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals
2) Security Policy
• Security policies are approved and communicated
3) Organizational Security
• Information security roles & responsibilities are coordinated and aligned with internal roles and external partners
Control
Objectives
4) Asset Management
• The data, personnel, devices, systems, and facilities are identified and managed based on importance to business and organization’s risk strategy
5) Human Resource Security
• The organization’s personnel and partners are suitable for the roles they have and are provided cybersecurity awareness education
6) Physical and Environmental Security
• Physical access to assets is managed and protected
Control
Objectives
7) Communications & Operations Management
• Technical security solutions are managed to ensure the security and resilience of systems and assets consistent with related policies, procedures, and agreements
8) Access Control
• Access to assets and associated facilities is limited to authorized users, processes, or devices
9) Information Systems Acquisition Development
• A system development life cycle is implemented; a vulnerability management plan is developed and implemented and vulnerability scans are performed
Control
Objectives
10) Incident & Event Management
• Response processes and procedures are executed and maintained
11) Business Resiliency
• Response plans for Business Continuity and Recovery are in place
12) Compliance
• Legal requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
Control
Objectives
13) Mobile
• A formal policy is in place and appropriate security measures adopted to protect against the risks of using mobile computing
14) Encryption
• Data-at-rest is protected and Data-in-transit is protected
15) Supplier Risk
• Ensure protection of the organization’s assets that is accessible by suppliers
Control
Objectives
16) Cloud Security
• Ensure protection of the organization’s assets that are stored or processed in cloud environments
How It Works
Record Keeper Hires
Third Party Independent
Auditor
Auditor Uses SPARK’s 16
Control Objectives
Auditor Creates a SOC2
or AUP Report for
Consultants and Plan
Sponsors
Plan Consultant or Plan
Sponsor Uses Report to
Grade Record Keepers
Next Steps
Communicate to Plan
Sponsors, Consultants
and Attorneys
Implement New Best
Practice Disclosures for
Cyber Security & Data
Protection
Share with Retirement
Community, Learn and
Continually Improve the
Process