| 1. Conduct an annual cybersecurity risk assessment |
- Conduct an annual cybersecurity risk assessment
- Provide recommendations on areas for enhancement with prioritization
|
| 2. Adopt cybersecurity policies and procedures, including cybersecurity threat and vulnerability management |
Develop comprehensive policies and procedures, including:
- Incident Response
- BCP/DRP
- Cyber and data security policy, including user security and access management and cybersecurity threat and vulnerability management
|
| 3. Establish a vendor management program |
- Assist in implementing a well-documented vendor management program
- Maintain an approved vendor list
- Conduct annual vendor due diligence reviews
- Summarize vendor due diligence findings
- Coordinate meeting to review a summary of the completed due diligence reviews and take meeting minutes to evidence oversight
|
| 4. Conduct and document an annual Cybersecurity Review |
- Conduct annual cybersecurity testing report, including:
- Detailed outline of review parameters and testing along with findings
- Reports of phishing and external / internal network scans
- Analysis of vendor due diligence responses
- Documentation of risk assessments
- Recommended updates to policies and procedures
- Assist with conducting incident response and disaster recovery / business continuity tabletop exercise scenarios
- Assist with testing material requirements established by cyber policies and procedures
- Log of cyber and data security training and testing
- Records of risk assessments and findings
|
| 5. Maintain certain books and records |
- Support maintaining required books and records
|
| 6. Provide certain cyber disclosures |
- Cyber disclosures
- Provide support on cybersecurity disclosures and ADV Form C filing upon request
|
