SEC Alerts Financial Firms to Risks Associated with Storage Practices for Sensitive Data
The risk alert issued on May 23, 2019 by the Office of Compliance Inspections and Examinations (OCIE), a unit of the U.S. Securities and Exchange Commission (SEC), warns of the very things we at Continuity Software have been calling attention to during this past half year.
The SEC is responsible for the enforcement of laws and regulations in the US securities markets. The OCIE alert noted that financial firms do not consistently use security features, and that weak and misconfigured security settings put electronic customer records and information in network storage solutions at risk. This warning was issued for both on-premise and cloud-based network storage solutions.
OCIE identified three key problems with how sensitive data was stored:
- Misconfigured network storage solutions; no policy to address these issues
- Storage configurations that did not follow vendor best practices
- Sensitive/core data not necessarily categorized as such and thus, not always sufficiently protected
OCIE cautioned that these security-setting misconfigurations could lead to unauthorized access as well as regulatory compliance issues.
The alert cited examples of practices they recommend to remedy these faults:
- Ongoing maintenance and review of the storage solution
- Guidelines to ensure security configurations meet standards and network solutions are properly configured
- Regular implementations of software patches and hardware updates followed by validation that changes did not inadvertently cause security misconfigurations
If you’re familiar with our mission at Continuity Software, and our writing on the topic, the substance of the OCIE risk alert won’t surprise you.
We developed Data Security Advisor™ to address these and related issues involved in achieving and maintaining the security of core data storage systems, including storage arrays, cloud storage, storage network, storage management systems, data protection systems and additional storage devices. In a nutshell, Data Security Advisor checks the configuration of storage systems and detects vulnerabilities, violations of vendor and industry best practices, organizational security baseline requirements, ransomware protection guidelines, and non-compliance with regulations and standards that could impact the security of peta bytes of critical data kept within these storage systems.