By John Carbo, Director of Information Security
The SEC OCIE published a risk alert recently entitled “Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features” which contains three main observations:
Our AbacusFLEX and AbacusFLEX-Hybrid platforms are designed to meet or exceed regulatory security requirements by following policies and procedures set forth by NIST, COBIT, ISO, Center for Internet Security and the Cloud Security Alliance.
Here is how Abacus addresses the OCIE Risk Alert’s observations:
The security of Abacus network storage aligns with our defense in depth strategy:
Abacus also has a Benchmark and Device Hardening program. We follow standards set by the Center for Internet Security (CIS). Tenable Security Center is used to scan the Abacus platform and report on configuration settings compared to the CIS Benchmark. This program validates that our platform has the appropriate security controls configured across our infrastructure assets.
Our Vulnerability and Patch Management program is based on ISO 27001 control A.12.6.1. The program focuses on timely identification of vulnerabilities, an assessment of exposure and the risk impact of exploitation. These metrics determine the criticality of a vulnerability and time to patch.
Abacus follows an approval procedure before granting any rights or making any changes. Only a client’s authorized approver can request changes to permissions.
Our Abacus Client Portal provides a daily report on network storage permissions. We encourage clients to review the report to ensure accounts are properly configured with least privilege.
We also conduct three penetration tests per year and encourage clients to perform their own cybersecurity risk assessments of our platform.
Abacus recommends that each of our clients have their own Data Classification Policy. This policy will assist in determining the appropriate least privilege permissions. For reference, the Abacus Data Classification Policy is located in our ISO 27002 WISP available to clients via our Portal.
We can assist providing our clients with reports on sensitive data locations according to various data classifications (PII, financial records, GDPR, PHI, PCI, SOX, GLBA, etc.). Sensitive data reports in conjunction with our the file permission reports available in the Abacus Client Portal can be used to validate least privilege for client accounts.
These Stories on cybersecurity