IT administrators need to assist their organizations in complying with a variety of regulatory schema, including that by the U.S. Securities and Exchange Commission. The SEC’s Office of Compliance Inspections and Examinations (OCIE) has laid out a combination of policies, procedures, and access control measures that applicable organizations should have in place. We’ll explore those first before delving into how JumpCloud® Directory-as-a-Service® can help address certain components of SEC compliance.
SEC Cybersecurity Guidelines
In a recent report, the SEC compliance office summarized its findings from thousands of examinations of organizations. Although security isn’t one-size-fits-all and each organization must tailor its data security policies and procedures to its unique environment, the office laid out the following categories and findings “to enhance cybersecurity preparedness and operational resiliency”:
- Governance & Risk Management: The SEC looks for senior leadership involvement in organizational security, written policies about how the organization will assess and respond to threats, and proper adherence to those policies.
- Access Rights & Controls: Access management and monitoring are also critical components. Users should have access to only the systems and data they require to do their jobs, and organizations should be able to immediately revoke access of users who leave. Organizations should also require strong passwords and multi-factor authentication (MFA), and monitor user access.
- Data Loss Prevention: Organizations must protect sensitive data and client information. This could include vulnerability management and threat detection programs, as well as event logging, patch management, hardware and software inventories, and encryption measures.
- Mobile Security: Organizations should also have clear BYOD policies, as well as an MDM to secure those devices, and training to share employee best practices.
- Incident Response & Resiliency: Organizations should develop and test a plan to respond to incidents, as well as identify strategies to maintain business continuity and back up data.
- Vendor Management: Organizations should carefully manage vendors and ensure they meet organizational security standards.
- Training & Awareness: Training users about relevant security policies and running test exercises can help them contribute to organizational security.
Although some of the above categories require business preparedness plans, some can also be addressed with the right technological tools in place.
JumpCloud & Compliance
JumpCloud offers a full-suite cloud directory service that can help you prepare for compliance — particularly in the realm of access control and system management. JumpCloud securely connects users to their systems, applications, files, and networks via agent-based control of machines and protocols such as LDAP, RADIUS, and SAML.
Access Control & User Management
Admins can establish one authoritative identity for each user in the cloud directory platform and federate it where it’s needed. This includes macOS®, Windows®, and Linux® systems, web applications, cloud and on-premises servers, and RADIUS networks. Admins also have the ability to manage access rights by groups, and they can revoke a user’s access to all connected IT resources immediately from the web console.
Admins can set password complexity requirements for their organizations and require MFA at virtually all access points, including systems, online user portals, and RADIUS networks. They can also segment network access with VLAN tagging.
Cross-Platform System Management
Admins can manage systems including laptops, desktops, and servers with GPO-like Policies for macOS, Windows, and Linux systems. With Policies, admins can configure and secure machines by enforcing full disk encryption, disabling removable storage access and other administrative functions, setting lock screens, and more.
System & Directory Insights Monitoring
With JumpCloud’s premium System Insights feature, admins can return key data about systems — including OS and patches, memory, storage, CPU, and more — to monitor and manage machine health across their fleets. With Directory Insights, admins can return logs of authentications and other events across their infrastructure. Both features can help them identify potential security vulnerabilities and respond to them promptly, as well as compile audit logs.
Our team has also compiled resources to assist organizations in implementing user training programs. Beyond fulfilling a compliance requirement, such programs are a key way to educate users and engage them in organizational security.
At JumpCloud, security is our highest priority. We think about what that means for our internal processes and seek to help other organizations meet their security and compliance goals. Click here to learn more about secure access control and device management from the cloud.