Employee Benefits Security Administration

Cybersecurity Best Practices

If you are in the Benefits Administration business, or if you in any way keep information related to employee benefits and the personal information on groups of employees, this article is for you.  The Department of Labor has recently published a paper detailing a list of best practices “responsible plan fiduciaries” and “record keepers and other service providers responsible for plan-related IT Systems” must be doing to protect employee’s confidential information.  

The following is a list of the items that they specify for a  properly secured IT environment:

1. Have a formal, well documented cybersecurity program.
2. Conduct prudent annual risk assessments.
3. Have a reliable third-party audit of security controls.
4. Clearly define and assign information security roles and responsibilities.
5. Have strong access control procedures.
6. Ensure that any assets or data stored in the cloud or managed by a third-party services provider are subject to appropriate security reviews and independent security assessments.
7. Conduct periodic cybersecurity awareness training.
8. Implement and manage a secure system development lifecycle (SDLC) program.
9. Have an effective business resiliency program addressing business continuity, disaster recovery and incident response.
10. Encrypt sensitive data stored and in transit.
11. Implement strong technical controls in accordance with best security practices.
12. Appropriately respond to any past cybersecurity incidents.

As you can see, the requirements for your systems are getting more and more formalized and the guidance from various regulatory agencies are getting more specific.  As I commented on in other articles, all these requirements are mirroring the best practices in the NIST framework.

To become compliant with these requirements and others it is essential that companies start to add the following services to their IT management.

1. Quarterly or minimally yearly Vulnerability and Penetration testing and remediation.
2. IT Security Compliance Services to ensure you meet the guidelines listed above.  This involves security policies, planning, record keeping, training, and risk management.
3. 24/7 Security Operations and Threat Detection – a way to know that systems may have been compromised.
4. Disaster Recovery and Business Continuity Services.
5. Password Management
6. Robust monitoring, patching and prevention measures.
7. Multi-factor authentication

For more details, you can find the Department of Labor’s paper on Cybersecurity Program Best Practices,  here.  

If you are not sure that you have all these items in place or if you would like to discuss any of this with me, send me a message or give me a call at 484-443-4000 ext. 101.