Page 49 - OctDefComp
P. 49
7. Cybersecurity awareness training conducted at least annually for all personnel and updated
to reflect risks identified by the most recent risk assessment
Empower associates are systematically assigned mandatory security awareness, privacy and fraud awareness training
throughout the year and additionally educated on current security events and vulnerabilities through periodic
management communications. Training is assessed through a knowledge assessment system to achieve certification,
and sessions are tracked to completion. In addition, unannounced email phishing campaigns are performed throughout
the year. Follow-up training is leveraged to ensure our associates have the ability to properly identify incoming threats to
our environment.
8. Secure system development life cycle (SDLC) program
Empower has implemented a systems development life cycle (SDLC) methodology, that covers analysis, design, build
and test, quality assurance, and installation and governs the development, implementation and maintenance of
application systems.
Best practices response
DOL cybersecurity Empower protocols
best practices
Procedures, guidelines and standards
that ensure all in-house applications
are developed securely. This would
include such protections as: If we receive account information changes, we proactively notify the
individual plan participant to all points of contact that we have.
• Configuring system alerts to trigger
when an individual’s account
information has been changed
Requiring additional validation if
personal information has been Empower has a comprehensive fraud prevention program that
changed prior to request for a includes additional verification for certain activities associated with a
distribution from the plan account and
for distributions (other than a rollover) higher risk of fraud.
from the participant’s account
Procedures for evaluating or testing Security and Change Management assessments are performed on
the security of externally developed third-party software prior to implementation within the Empower
applications, including periodic reviews
network. Testing is based on OWASP (Open Web Application
and updates Security Project) standards.
Empower’s vulnerability management program systematically
identifies, evaluates, prioritizes and mitigates vulnerabilities that may
A vulnerability management plan, pose a risk to infrastructure and applications. Our modern vulnerability
including regular vulnerability scans
management program combines automation, threat intelligence and
data science to predict which vulnerabilities represent the greatest risk
to a given environment.
Empower performs annual security assessment and penetration tests
of our network and externally facing web applications. Testing steps
follow best practices and cover authentication and authorization, user
Annual penetration tests, and session management, error handling and exception management,
particularly with respect to and data validation (includes SQL injection, cross-site scripting,
customer-facing applications command injection and client-side validation). Tests include the current
OWASP (Open Web Application Security Project) top 10 and use the
OWASP ASVS (Application Security Verification Standard) as a standard
for application development.
8
FOR FINANCIAL PROFESSIONAL AND PLAN SPONSOR USE ONLY.
