Now that you understand why you need a cybersecurity strategy and how to begin creating your cybersecurity policy, let’s explore the second step you can take to jump-start your cybersecurity program: creating a process to manage your advisory firm’s inventory of essentials.
This step addresses the National Institute of Standards and Technology’s (NIST) identify core principle, fulfilling a few of its requirements. To learn more about NIST and its core principles, read the first article in this series, “Is your advisory firm actively strengthening your cyber defenses?”
What is an inventory management plan?
This document outlines how your firm will manage its inventory of essentials—the data, items, people, services, and third parties essential to running your business. This document should be updated regularly.
Who creates the inventory management plan?
You will need to designate a “cybersecurity manager (CSM) or cybersecurity officer (CSO)” for your firm. This person will work with stakeholders to pull together the content of the inventory, get it approved, and keep it up to date.
What should the plan include?
As with other documentation in your cybersecurity strategy, there is no prescribed format. The contents of your inventory management plan will be tailored to your firm. To get you started, ask yourself the following questions to help you think through what is essential to running your business.
What are your business objectives?
Advisors have many objectives: shepherding clients through financial investment decisions, creating and maintaining portfolios, producing client paperwork, growing their client base, adhering to regulatory guidelines, protecting customer and employee data, and so on. Write down your business’s goals and prioritize them. These business objectives will help determine what should be listed in your inventory and how you should rank their importance.
What enables you to stay in business?
It’s important to know what you have, where it is, and how it helps you run your business. These items, services, and people are your “treasures.” Some treasures are more valuable than others and require more effort to protect.
A common metaphor for ranking your treasures is the medieval castle. The castle is built to protect many things: the people that live there, the jewels and resources they have acquired, and their official documents. Each of these things has a different value in the eyes of the people who run the castle and will be protected differently because of that (e.g., walls and a moat versus armed guards). Ultimately, processes will be developed based on the threats that exist and the consequences should those threats be realized.
In the same way, as an advisor, you must know what your treasure is, where it is, and how important it is to running your business before you can start making decisions about where to devote your limited time and resources.
If you are unsure of what should be included in your inventory, start by considering the following categories found in NIST’s Cybersecurity Framework (for more information on NIST’s Cybersecurity Framework and why you need to be familiar with it, read the first article in this series, “Is your advisory firm actively strengthening your cyber defenses?”
You use data every day to run your advisory business. Customer and employee data (e.g., names, addresses, Social Security numbers, bank account numbers), product information, and business information (contracts, relationships, plans) all fall under this category. It is not enough to merely list these data items in your inventory. You also need to document the answers to the following questions:
- Where is the data?
- Who should have access to it (and who does)?
- How does the data move (i.e., how does it come into the firm, move to different locations within the firm, and leave the firm)?
- How is the data classified from most to least critical?
- How is the data tracked and reviewed?
- How could this data be leaked outside the firm on purpose or accidentally?
People are the lifeblood of an advisory business, especially for small and medium-size firms, where employees may be performing multiple roles. Your firm may also use the services of third-party vendors. When adding people to your inventory, make sure you document the answers to the following questions:
- What role(s) do they play?
- What access to data should their role give them?
- What access to systems should their role give them?
- How are the roles and access tracked and reviewed?
- How important are these roles from most to least critical?
Devices include computers, cell phones, tablets, servers, websites, software packages, networks, and more. While it may seem overwhelming to inventory all of these things, it is helpful to begin by identifying what technology you used today as part of running your firm. For each item on the list you generate, you need to document answers to the following questions:
- Where is it?
- Who owns it?
- How important is it from most to least critical?
- What happens if it is lost, stolen, or broken?
- How does it get updated?
“Computer systems” can be a vague term. It could mean computer software (e.g., Bloomberg or Microsoft Word), or it could mean a physical system that includes both hardware and software (e.g., a firewall). For each item on the list, you need to document answers to the same questions that you asked for each of your devices.
A facility is a place or piece of equipment related to a physical location. For an advisory firm, this could include your office, backup generators, an HVAC system, among other things. For each facility, you need to document answers to the following questions:
- Who is responsible for it?
- What would happen if it were unavailable?
External dependencies are items outside of the firm that you need to run your business. These things may include pricing information, transactions and positions, custodians, or an external website provider. Compile a list of your external dependencies. For each document, answer the following questions:
- What do we get from this entity?
- What do we give to this entity?
- Could this entity be replaced?
- How long could I do without this entity?
- Is there paper between us?
- How important is this entity from most to least critical?
While your cybersecurity policy outlines your plans for addressing cybersecurity issues and responsibilities, managing your inventory focuses on knowing the data, personnel, devices, systems, facilities, and external dependencies that you need to run your business.
While taking your inventory, don’t forget to rank their importance to inform how you plan to manage them.
Now that your inventory management plan is in place, the next step in building a solid cybersecurity strategy is to develop and deploy a process for identifying the threats that exist to your business, the vulnerabilities that would allow them to be realized, and the steps you can take to prevent them. We’ll dive into how to get started in the next post in our “Cybersecurity for financial advisors” series.