Page 44 - OctDefComp
P. 44
Cybersecurity best practices
The following guidance from the DOL, Cybersecurity Program Best Practices, is intended to help plan spon-
sors ensure their retirement plan provider has cybersecurity programs, IT systems and plan data protocols
sufficient to mitigate cybersecurity risks. Each item from the DOL document is accompanied by a response
detailing Empower’s protocols.
1. A formal, well documented from network and system analysis to physical security,
cybersecurity program including enterprise policy inspections — evaluating the
Empower’s Information Security Policies include high- effectiveness of our organizations administrative, technical,
level program management requirements for planning physical and environmental control implementation via an
and communication regarding information security, both evidence based risk management program. The program
internally and externally. Empower’s information security includes an independent professional review of our
policies are aligned and documented with NIST 800-53, network and security controls and is measured against
which is a gold standard framework and a U.S. cyber 31 policy categories that affect all critical control groups
defense standard. NIST 800-53 is composed of over 1,000 across an organization (policy, human, physical, device
controls, with 18 control families and is considered to and network).
have the most robust coverage over other standards. Our By exceeding the Verizon Cyber Risk Programs Certification
information security policies (ISPs) are reviewed annually requirements, Empower Retirement has achieved an
by a committee representing various lines of business assessor’s letter of certification, an independent third-
and systems areas and are reviewed and accepted party enterprise cybersecurity certification issued by
by the Information Security Board. Our ISPs provide Verizon. Achieving certification confirms an organization’s
administrative, physical, and technical safeguards to limit strong defenses and demonstrates an organization’s
access to protected information, establish proper handling commitment to security of its IT assets, reputation and
practices and secure the facilities and systems where the sensitive information. This achievement demonstrates that
information is stored. we employ proven security processes and technologies
to maintain a proactive and comprehensive information
2. Prudent annual risk assessments
security program. Proof of certification can be provided
Empower exceeds the DOL’s guidance for annual risk by contacting the Empower Sales or Relationship
assessments. Since 2012, Empower has been hiring Management teams.
Verizon (the same company who creates the annual
authoritative Data Breach Investigations Report (DBIR)) Annual penetration tests of our network and externally
to perform comprehensive risk assessments on a facing web applications are performed by rotating vendors,
quarterly basis. In recognition of our industry-leading, who are PCI (Payment Card Industry) qualified security
comprehensive information security program, we’ve assessors (QSAs). While Empower is not subject to PCI
earned the distinction of being a Verizon Cyber Risk compliance, and it’s not essential to have a QSA perform
Program Certified Enterprise for 10 consecutive years. our penetration tests, Empower respects the in-depth
The Verizon Cyber Risk Program is a cybersecurity risk annual certification program of the PCI council for QSAs,
reduction and certification program that addresses all who offer compliance standards and top industry guidance
aspects of proactive cybersecurity measures and controls, on testing threats and fighting data compromise.
3
FOR FINANCIAL PROFESSIONAL AND PLAN SPONSOR USE ONLY.
