Cyber Security Disclosures

The SPARK Institute

Contents

• Background/History

• SPARK Data Security Oversight Board (DSOB)

• Development Process

• Regulatory Environment

• Framework Flexibility

• Third Party Attestations

• SOC2

• AUP

• Control Objectives

• How It Works

• Next Steps

Background &

History

Proliferation of Questions

Intimacy of Questions &

Secrecy of Answers

Refusal to Answer to Protect

Other Clients

Consultants

Record

Keepers

SPARK Data

Security Oversight

Board

Plan Consultants

SPARK Data

Security Oversight

Board

Plan Consultants

SPARK Data

Security

Oversight Board

Regulatory

Environment

Security Framework

Flexibility

• Agreement on a single framework is not possible

• A single framework is NOT Desirable

• Diverse Frameworks make a stronger defense

Development

Process

Collaborated

Examined

Possibilities

Decided on an

Approach

Third Party

Attestations

Flexibility

Easily

Understood

Control

Objectives

1) Risk Assessment and Treatment

• The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals

2) Security Policy

• Security policies are approved and communicated

3) Organizational Security

• Information security roles & responsibilities are coordinated and aligned with internal roles and external partners

Control

Objectives

4) Asset Management

• The data, personnel, devices, systems, and facilities are identified and managed based on importance to business and organization’s risk strategy

5) Human Resource Security

• The organization’s personnel and partners are suitable for the roles they have and are provided cybersecurity awareness education

6) Physical and Environmental Security

• Physical access to assets is managed and protected

Control

Objectives

7) Communications & Operations Management

• Technical security solutions are managed to ensure the security and resilience of systems and assets consistent with related policies, procedures, and agreements

8) Access Control

• Access to assets and associated facilities is limited to authorized users, processes, or devices

9) Information Systems Acquisition Development

• A system development life cycle is implemented; a vulnerability management plan is developed and implemented and vulnerability scans are performed

Control

Objectives

10) Incident & Event Management

• Response processes and procedures are executed and maintained

11) Business Resiliency

• Response plans for Business Continuity and Recovery are in place

12) Compliance

• Legal requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

Control

Objectives

13) Mobile

• A formal policy is in place and appropriate security measures adopted to protect against the risks of using mobile computing

14) Encryption

• Data-at-rest is protected and Data-in-transit is protected

15) Supplier Risk

• Ensure protection of the organization’s assets that is accessible by suppliers

Control

Objectives

16) Cloud Security

• Ensure protection of the organization’s assets that are stored or processed in cloud environments

How It Works

Record Keeper Hires

Third Party Independent

Auditor

Auditor Uses SPARK’s 16

Control Objectives

Auditor Creates a SOC2

or AUP Report for

Consultants and Plan

Sponsors

Plan Consultant or Plan

Sponsor Uses Report to

Grade Record Keepers

Sample of

Detailed

Audit Report

Next Steps

Communicate to Plan

Sponsors, Consultants

and Attorneys

Implement New Best

Practice Disclosures for

Cyber Security & Data

Protection

Share with Retirement

Community, Learn and

Continually Improve the

Process

Questions