Do you do any work with vendor assessments? Can you assist with vendor due diligence?
Yes. We can provide assessments, as well as penetration testing and review of penetration testing results. Additionally, we can provide a due diligence process for vendors.
Our representatives are independent advisors and we don’t/can’t mandate how they do business. How have you addressed this with other Broker-Dealers or RIAs?
If you already have a set of standards in place, we can perform an inspection against those standards to identify compliance. In the process, we will create an inventory of the machines and score them to identify associated risks. The rep will then know what they need to address. While you cannot dictate the exact equipment to use, you can provide guidance and recommendations on hardware and software that will best meet the requirements.
Can you audit our recommendations for field equipment?
Yes. We can review your existing standards and work with you to update or improve them. Additionally, we can take a snapshot of the field, determine where they should be, and develop a plan to get them there in a reasonable amount of time.
Is the assessment done remotely or do you have to visit each location?
Our assessments are completed remotely, using an “agent” that is electronically provided to the representative. While the agent provides us with a significant amount of information about the machine, it does NOT provide any access to data on the machine. Additionally, the agent is “dissolvable”; when the machine reboots, the agent is automatically removed.
Will you make specific recommendations directly to the representative, or do the recommendations come through the Broker-Dealer or RIA?
If we have been contracted by the Broker-Dealer or RIA, we will work within your preferred structure. In instances where we have been contracted directly by the representative, we will provide the information directly to them.
What type of training do you offer for cyber security, or are we required to deliver training?
We have various educational tools, ranging from online communications, to adoption strategies, to ongoing webinar series. Our training tools are designed to teach your people to be informed consumers rather than technology experts. We can also work with you to design custom training, such as breakout sessions at your conference.
As a customer, what does my cyber security team look like?
A member of our cyber security team will be assigned to your engagement. Additional resources could include professionals from our marketing and communications or technology team.
What is the typical impact of an assessment on a field office?
It depends on what we find and the remediation required. To get a machine to full compliance usually requires a couple of hours; encryption will typically take 4-6 hours. Once the team is completely updated, it takes about 10 minutes a month to keep it that way.
What do you typically find in the field when it comes to the status of reps’ machines?
We typically discover that 10-15% machines that are using unsupported systems (e.g., Windows XP) that require machine replacement; 10% don't have anti virus software; and 30% have anti virus but it's been shut off; most machines are not encrypted and need to be.
You identified an equipment issue that requires remediation. I don’t have the technical expertise to resolve it. Who can help me?
Docupace’s security experts can assist with remediation at an hourly rate, and you will be provided with an estimate for your approval prior to starting any work. Alternately, you can contact a local IT professional service to assist you in resolving the issue.