IT Security for Asset and Risk Management companies

mallony
mallony used Ask the Experts™
on
I am tried to make sure that the Financial company I work for (Asset Management and Risk Management) have all the current IT Security parameters to have the top IT Security measures in place.  Instead, of going around and ask another Asset Management companies I would like to find a place (website) where it would guide me to the best IT Security standards for my company. In particular, I would appreciate if this advice would apply to all current Asset Management companies in Switzerland, Zug city.

In a nutshell, I want to know what are the other Asset Mangement companies are doing in the area of IT Security for themselves.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
NoahHardware Tester and Debugger

Commented:
Hi there! :)

Firstly, is there a private network and firewall? A private network and firewall managed within the company reduces the chances of a user actually making a "mistake" which allows the security of information to be compromised. This includes creating policies to filter what websites and IP addresses can and cannot be accessed within and outside the network. This also applies for emails and other types of software which require an active connection, another app can be implemented to block "dangerous" downloads and safely remove them when they happen.

Storing your information in a safe place is also key, that is why a private network is necessary. You should consult businesses that specialize in this field as they will provide all the essential tools to protect your information. Companies such as Dashlane and even anti-virus companies provide business packages that can meet your needs.
i don't work for an asset management company but usually companies need to comply with industry and government mandates through the implementation of security frameworks. Companies that don't need to abide by certain rules choose to develop and maintain their own hybrid framework based on what works for them and best practices. I'd advise you to find out if there's any specific requirements your company needs to follow in Switzerland when it comes to IT security. If they do business in other countries you have to  adhere to that countries mandate too. I'm based in the US and depending on the industry we deal with we need to implement HIPAA, PCI, NIST, etc.

If you're looking for some guidance for security practices you can check: https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final

good luck!
Exec Consultant
Distinguished Expert 2018
Commented:
NIST is a go to standard reference.  

SP 1800-5 - IT Asset Management (ITAM)
(pdf) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-5.pdf

This guide:
maps security characteristics to guidance and best practices from NIST and other standards organizations, including the PCI DSS
▪ provides:
    • a detailed example solution with capabilities that address security controls
    • instructions for implementers and security engineers, including examples of all the necessary components for installation, configuration, and
       integration
▪ is modular and uses products that are readily available and interoperable with your existing IT infrastructure and investments

Using the guidance in NIST's series of publications concerning the RMF, the NCCoE performed two key
activities to identify the most compelling risks encountered by organizations within the financial sector.
The first was a face-to-face meeting with members of the financial sector community to define the main
security risks to business operations.
This meeting identified a primary risk concern: the lack of a
converged view and reporting capability for IT assets. We then identified the core risk area, ITAM, and
established the core operational risks encountered daily
in this area. The following associated tactical
risks
were identified:
▪ lack of knowledge of the IT asset locations
▪ lack of configuration controls for IT assets
▪ ineffective patch management
▪ lack of software vulnerability management
▪ lack of a common operating picture of the enterprise's IT assets
▪ lack of a converged repository of IT assets. In its development, NIST has received from various Technology Partners/Collaborators who participated in this build submitted their capabilities in response to a notice in the Federal Register

Undertaking these activities in accordance with the NIST RMF guidance yielded the necessary
operational and strategic risk information, which was subsequently translated to security characteristics.
Table 4-1 illustrates the mapping of these characteristics to NIST's SP 800-53 Rev. 4 [3] controls, along
with the Cybersecurity Assessment Tool (CAT) and other security controls and best practices.


Implementing these security controls will substantially lower overall cyber-risk by providing mitigations
against known cyber threats. Having a comprehensive ITAM system in place, like the one in this
document, enables the effective implementation of other mitigations such as application
whitelisting/blacklisting, and network access controls. A full list of the security technologies used to
implement this reference architecture can be found in Table 4-2.


The cybersecurity value of ITAM is derived from some key aspects of the Risk Management Framework [12] and the NIST Framework for Improving Critical Infrastructure Cybersecurity [2], including:
▪ selection and application of baseline security controls
▪ continuous monitoring and reporting of asset status to a data store
▪ implementation of anomaly detection mechanisms. Examples include deviations from normal
network traffic or deviations from established configuration baselines
▪ provision of context to detected anomalies and cybersecurity events within the reporting and
analytic engine

Implementing the first two elements above addresses the Select, Implement, and Monitor aspects of
the Risk Management Framework
by providing a method to select a baseline, implement it (both
configuration and enforcement), and detect changes in the baseline. ITAM addresses the Identify,
Protect, Detect, and Respond aspects of the NIST Framework
for Improving Critical Infrastructure
Cybersecurity [2] by implementing the last two bullets, which identify anomalies and add context to
events, aiding in remediation.

The ITAM processes supported by our reference architecture include data collection, data storage,
configuration management, policy enforcement, data analytics, and reporting/visualization.
mallonyIT Specialist

Author

Commented:
Great advice. Many thanks all.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial