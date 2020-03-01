By Sherry-Maria Safchuk, James Chou, and Frida Alim



Review applicable data protection regulatory requirements and ensure that internal or third-party technology solutions address and comply with those requirements.

Leverage, to the maximum extent possible in accordance with the institution's third-party risk tolerance, third-party cloud and technology platforms that could assist in providing secure remote work technology solutions.

Review and update information security and data protection policies to consider remote operations, and communicate such updates to remote employees.

Multifactor authentication in a remote environment for users connecting from external networks;

Encryption for data or communications in transit and for mobile devices containing sensitive information at rest;

Least privilege principles, which provide that access to sensitive information should continue to be given only to select individual employees, contractors, or vendors;

Passwords that meet certain requirements; and

Incident response programs to respond to data breaches and other data security incidents.

Access control: Does the provider empower the licensee to control access at the user level, use enhanced security options such as multifactor authentication (with replay resistance), grant and deny permissions at the user level, and, by default, deny access to any user that does not have explicit privileges to access the data?

Secure communications: Does the provider offer reasonable assurances for the confidentiality of communications by using strong encryption?

Network monitoring and data loss prevention: Does the provider enable the licensee to implement automated controls for monitoring network traffic, user access and data loss?

Data integrity: Does the provider offer reasonable assurance that data hosted in its cloud would not be altered, destroyed or mishandled, either at rest or in transit?

Established policies for vulnerability assessments, risk management and incident response: Does the provider have established policies, procedures, and standards to conduct vulnerability and risk assessments and to update its cloud platform upon the discovery of new or emerging vulnerabilities and maintain an executable incident response plan?

Availability of platform: Does the provider have sufficient redundancy so that the licensee will have continuous access to its data and systems?

Awareness of financial regulatory requirements: Does the provider have a history of experience with financial institutions and the data security and data privacy requirements unique to financial institutions?

Requiring accreditation by a third party on certain aspects of the provider's platform, including the platform's assurances regarding availability, confidentiality, and integrity;

Imposing requirements through contractual provisions, such as audit rights, mandatory compliance with applicable law, disaster recovery support, and service level objectives; and

Performing due diligence on a provider's overall information security posture.

Inventory and classification: Institutions should account for remote devices, user-owned devices and data residing outside the internal network, and establish procedures to discover and document such devices and data.

Business continuity and disaster recovery: Business continuity and disaster recovery plans should be updated to include limited remote operations as a contingency, including any new service providers that will support the licensee's backup, recovery and remote operations.

Logging and monitoring: To maintain accountability, security and data protection, institutions should consider remote monitoring or other logging activities as necessary.

Authentication: Password, access and other authentication policies should be reviewed to ensure that strong passwords, multifactor authentication, and other enhanced authentication standards are implemented as necessary and where possible.

Remote access, mobile device management, and noncompany-issued devices: Policies for remote access (i.e., access to the licensee's network through an external network) should be established and include guidelines regarding unsecured Wi-Fi use, storage of licensee data offsite or on a noncompany-issued device, and baseline configurations for mobile devices, such as antivirus software.

Incident response: Since incidents, such as data breaches, may now occur remotely, incident response procedures should be updated to address breaches in remote environments.

Vulnerability management and resilience training: Many breaches are caused by phishing or employee negligence, so awareness training should be a central part in all relevant environments.

