Smallfirm Cybersecurity Checklist

CYBERSECURITY
Checklist for a Small Firm's Cybersecurity Program
Firm Name:
Person(s) Responsible for Cybersecurity Program:
Last Updated:
Key Personnel:
Last Updated: (FINRA's last update) Version 1.1 December 2016
Important:
Legend for Text Entry Fields
Enter Free Text
Cybersecurity is broadly defined as the protection of investor and firm information from compromise through the use—in whole or in Pre-Populated Fields
part—of information technology. Compromise refers to a loss of data confidentiality, integrity or availability. This checklist is provided Choose from Drop Down List
to assist small member firms with limited resources to establish a cybersecurity program to identify and assess cybersecurity threats,
protect assets from cyber intrusions, detect when their systems and assets have been compromised, plan for the response when a Locked Down Fields
compromise occurs and implement a plan to recover lost, stolen or unavailable assets. This checklist is primarily derived from the Insert Rows
National Institute of Standards and Technology (NIST) Cybersecurity Framework and FINRA’s Report on Cybersecurity Practices. Please
consult the NIST framework and FINRA’s Report for a more in-depth discussion on the subjects listed herein.
National Institute of Standards and Technology (NIST) Cybersecurity Framework

SANS Critical Security Controls for Effective Cyber Defense
FINRA’s Report on Cybersecurity Practices
Using this checklist is optional:
This checklist is not exhaustive and firms should address their cybersecurity program in a way that best suits their business model.
There is no one-size-fits-all cybersecurity program. Firms may choose to develop or use their own checklist, borrow sections from this
checklist to include in their own checklist, or use a different resource (e.g., SIFMA’s small firm check list, NIST guidance, or the
Securities and Exchange Commission’s guidance). Firms that use this checklist must adapt it to reflect their particular business,
products, and customer base. Use of this checklist does not create a "safe harbor" with respect to FINRA rules, federal or state
securities laws, or other applicable federal or state regulatory requirements.
Methodology:
Using this checklist, firms will identify and inventory their digital assets, assess the adverse impact to customers and the firm if the
assets were compromised, identify potential protections and processes that secure the assets, and then make a risk-based assessment
considering their resources, the consequences of a potential breach and available protections and safeguards. Firms may decide to
remediate or address some high level risk impact vulnerabilities or they may decide that the threat is a low level risk impact which
they can accept. Firms should articulate why they decided to remediate or chose not to remediate. Completing this checklist will
require time and effort from senior executives at the firm. At a minimum, firms should know the assets that are vulnerable to a cyber-
incident, and they should assign a risk level to these assets. Senior executives will then be informed on how best to allocate firm
resources to protect the firm’s and customers’ information. See below for questions.
Assistance:
At small firms, one person may be responsible for operations, compliance and legal functions including the cybersecurity program, and
he or she may not understand the technology at issue or terms used in this checklist. In this instance, the firm may consider working
with outside technology help, industry trade associations or other peer groups, their vendors or their FINRA Regulatory Coordinator to
understand the information discussed in this checklist. Many small firms rely on clearing firms and vendors to maintain customer
accounts and transact business but these small firms should not assume that others are responsible for preventing or reacting to a
cyber-incident.
Using Excel:
This checklist is in Excel and uses Excel formulas. The person completing this checklist should have a basic knowledge of Excel. If no
one at the firm has these skills, please send an email to memberrelations@finra.org to schedule a call. There are also many helpful
video tutorials on Excel available on YouTube.
Please note: If you need to insert a new row in Section 1, you will also need to insert rows on the other Sections and copy the pre-
existing formulas into the newly inserted cells.
CYBERSECURITY
Checklist for a Small Firm's Cybersecurity Program
Firm Name:
Person(s) Responsible for Cybersecurity Program:
Last Updated:
Key Personnel:
Checklist Methodology
Please review the five questions below and based upon your answers, you should complete the sections (12 tabs total) applicable to
your business. The five core sections of the checklist follow the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and
Recover.
Questions about your firm's assets and systems:
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm
sensitive information (e.g. financial records) electronically?
If you answer yes to question 1, you will fill out the following sections of the Cybersecurity Checklist:
Section 1 - Identify and Assess Risks: Inventory
Section 2 - Identify and Assess Risks: Minimize Use
Section 4 - Protect: Information Assets
Section 6 - Protect: Encryption
Section 8 - Protect: Controls and Staff Training
Section 9 - Detect: Penetration Testing
Section 10 - Detect: Intrusion
Section 11 - Response Plan
2) Do you transmit PII or firm sensitive information to a third party, or otherwise allow access to your PII or firm sensitive
information by a third party?
If you answer yes to question 2, you will fill out:
Section 3 - Identify and Assess Risks: Third Party Access
3) Do your employees (or independent contractors) maintain devices that access PII or firm sensitive information?
Section 7 - Protect: Employee Devices
4) Do you have assets that if lost or made inoperable would impact your firm's operations (e.g., trading or order management
systems)?
Section 5 - Protect: Systems Assets
5) If your systems, PII or firm sensitive information were made inoperable or stolen, would you need to recover them to conduct
business?
Section 12 - Recovery
Resources:
How to print current section (tab):

From the top left, click File, then click Print, then under Setting, select Print Active Sheets, then click Print
How to print all sections (Entire Workbook):

From the top left, click File, then click Print, then under Setting, > Print Active Sheets, select Print Entire Workbook, then click
Print
How to save my excel file:

From top left, click File, then click Save As, select a location to save, type in selected file name, then click Save
Helpful Links:
General Application
NIST framework
FINRA’s Report on Cybersecurity Practices
SANS Critical Security Controls for Effective Cyber Defense
Section 1 - Identify and Assess Risks-Inventory
Personally Identifiable information, NIST’s Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (see page
Inventory of PII and Firm Sensitive Information, please see FINRA’s Report on Cybersecurity Practices (see pages 12-13)
Section 2 - Identify and Assess Risks-Minimize Use
Minimizing Collection of PII, NIST’s Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (see pages 4-3)
Section 3 - Identify and Assess Risks-Third Party

Vendor Management, FINRA’s Report on Cybersecurity Practices (see pages 26-30)
AICPA’s Reporting on Controls at a Service Organization
Questions to ask third parties who access your PII and Firm sensitive information, Standards Information Gathering (SIG) questionnaire
Section 4 - Protect-Information Assets

Malware Prevention, NIST’s Guide to Malware Incident Prevention and Handling (see pages 3.1-3.17)
Password Strength Tips, SANS Consensus Policy Resource Community - Password Protection Policy
Section 5 - Protect-System Assets
Identifying Critical Assets to Protect, FINRA’s Report on Cybersecurity Practices for a discussion on conducting the inventory (see page
Section 6 - Protect-Encryption
Understanding Encryption, FINRA’s Report on Cybersecurity Practices (see pages 20-21)
Section 7 - Protect-Employees Devices
Securing Mobile Devices, SANS Institute on Cybersecurity The Critical Security Controls for Effective Cyber Defense Version 5.0 (see pa
Section 8 - Protect- Controls and Staff Training

Vendor Management, FINRA’s Report on Cybersecurity Practices (see pages 31-33)
Section 9 - Detect-Penetration Testing

Conducting Penetration Testing, NIST’s Technical Guide to Information Security Testing and Assessment
FINRA’s Report on Cybersecurity Practices (see pages 21-22)
Section 10 - Detect-Intrusion
Intrusion Detection System, NIST’s (draft) Guide to Intrusion Detection and Prevention Systems (IDPS)

Issues to Consider when Developing a Response Plan, FINRA’s Report on Cybersecurity Practice (see pages 23-25)
Section 12 - Recovery
Eradication of Cyber breach and Recovery, NIST’s Computer Security Incident Handling Guide (see pages 35-37)
If you answer YES to the following question, please fill out this tab:
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitiv
financial records) electronically?
Section 1- Identify and Assess Risks: Inventory (Definitions provided below table)
*Description of PII or Firm Sensitive Data **Location (e.g. Network Drive, Systems Folder, Email)
Group Level Example: Customer Account Information Network Drive
Granular Example: Customer SS# G Drive

Directions on inserting new rows: Select a row in orange and right-click on the row number; choose "Insert." If you insert row(s) on Se
also insert row(s) for Sections 2, 4, 6, and Summary. Once you have inserted the row(s) in Sections 2, 4, 6, and Summary, you will need
from that Section into the newly created row(s). Do this by right-clicking on an existing row and choosing copy, then selecting the new
clicking and choosing paste. If you have any questions feel free to email us at memberrelations@FINRA.org.
Definitions:
Where is personally identifiable information (PII) or firm sensitive information located on your systems or other electronic storage (inc
Definitions:
Where is personally identifiable information (PII) or firm sensitive information located on your systems or other electronic storage (inc
offices and unregistered locations)?
* PII or firm sensitive information – includes name, social security number, date and place of birth, mother’s maiden name, or finan
customer accounts and holding information. Firm sensitive information can include data such as contact address information, email ad
plans, employee information, financial records, and tax filings, etc. Firms can list data at a group level such as customer account inform
granular level such as social security number, customer name, date of birth etc.
** Location – where the electronic digital information is stored, such as on a network drive, system folder, laptop or email. If the sam
more than one location, complete a separate entry for each location.
*** Risk severity level – Assign a risk severity classification to the data (e.g., low, medium or high). There is no one-size-fits-all way to
but a firm may consider the severity of the impact to customers and the firm if the PII or firm sensitive data were compromised.
or firm sensitive information (e.g.,
able)
***Risk Severity Level
(H/M/L)
High
High
able)
(H/M/L)
ert row(s) on Section 1, remember to

y, you will need to copy the formula
ecting the new row(s) and right-
nic storage (include your branch

able)
(H/M/L)
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records) ele
Section 2- Identify and Assess Risks: Minimize Use
** Business objective can be

Location (e.g. Network Risk Severity Level *Business objective accomplished without data
PII or Firm Sensitive Data can be met without being output or shared with
Drive, Systems Folder, Email) (H/M/L) data (Y/N)? other internal systems or
people (Y/N)?
Yes/No
Group Level Example: Customer Account

Information Network Drive High
Granular Example: Customer SS# G Drive High
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0

people (Y/N)?
Yes/No
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0

people (Y/N)?
Yes/No
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0

people (Y/N)?
Yes/No
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
Directions on inserting new rows: Select a row in orange and right-click on the row number; choose "Insert." Reminder: you will need to copy the formula from that Section
clicking on an existing orange row and choosing copy, then selecting the new row(s) and right-clicking and choosing paste.
Have you taken steps to minimize the use and proliferation of PII or firm sensitive data?
* Business objective can be met without data – One way to mitigate risk is to remove the PII or firm sensitive data from your systems and networks. You should consider whe
PII or firm sensitive information in the system or network location. When removing data from your systems and networks, you should keep in mind any books and records obli
** Sharing data – You should consider how the PII or firm sensitive data is shared, identify people or systems that do not require access to the data, and consider limiting acc
*** Remediate – If you determine that there is no business purpose to store or share the PII or firms sensitive information, you should remediate by either removing the dat

people (Y/N)?
Yes/No
Have you taken steps to minimize the use and proliferation of PII or firm sensitive data?
* Business objective can be met without data – One way to mitigate risk is to remove the PII or firm sensitive data from your systems and networks. You should consider whe
PII or firm sensitive information in the system or network location. When removing data from your systems and networks, you should keep in mind any books and records obli
** Sharing data – You should consider how the PII or firm sensitive data is shared, identify people or systems that do not require access to the data, and consider limiting acc
*** Remediate – If you determine that there is no business purpose to store or share the PII or firms sensitive information, you should remediate by either removing the dat
removing data from your systems and networks, you should keep in mind any books and records obligations you might have with respect to this data. If you are required to sto
severity of the data being compromised and consider whether a business practice could be changed to mitigate the risk (e.g., if a business process involves using a customer’s
another customer specific identifier rather than the social security number).
al records) electronically?
***Remediation Needed?
Remediation
Remediation Steps Status
Remediation
Remediation
Remediation
that Section into the newly created row(s). Do this by right-
consider whether you can do your business without storing the

d records obligations you might have with respect to this data.
er limiting access to this data to those who need it.
moving the data from the location or not sharing it. When
Remediation
2) Do you transmit PII or firm sensitive information to a third party, or otherwise allow access to your PII or firm sensitive information by a third party?
Section 3- Identify and Assess Risks: Third Party
^ Have you assessed the

*Name of Third-Party **PII or Firm Sensitive ****Is it necessary for the Third- Third-Party Organization to ^^ Are there controls in ^^^ Remediation Needed?
Data transmitted to Third- ***Risk Severity Party Organization to access the ensure that they have place to isolate Third-
Organization Party Organization (Y/N)? Level data transmitted (Y/N)? Party Connections from
effective security practices your
(Y/N)? critical assets (Y/N)?
Remediation
Yes/No Remediation Steps Status

Remediation
Third-party Risk Management: Do you transmit PII or firm sensitive information to a third party, or otherwise allow access to your PII or firm sensitive information by a third party? (e.g., your vendors, clearing firm, customers, etc.)?
* Name of third party – Corporation or individual’s name.
** PII or firm sensitive information transmitted – Answer "yes" if the third party receives or has access to firm PII or firm sensitive information.
*** Risk severity level – For each third party organization, the firm should assign a risk level. Assign a risk severity classification to the data transmitted (e.g., low, medium or high). There is no one-size-fits-all way to assign risk severity, but a firm may
consider the severity of the impact to customers and the firm if the data being transmitted to the third party organization were compromised.

Remediation
Third-party Risk Management: Do you transmit PII or firm sensitive information to a third party, or otherwise allow access to your PII or firm sensitive information by a third party? (e.g., your vendors, clearing firm, customers, etc.)?
* Name of third party – Corporation or individual’s name.
** PII or firm sensitive information transmitted – Answer "yes" if the third party receives or has access to firm PII or firm sensitive information.
*** Risk severity level – For each third party organization, the firm should assign a risk level. Assign a risk severity classification to the data transmitted (e.g., low, medium or high). There is no one-size-fits-all way to assign risk severity, but a firm may
consider the severity of the impact to customers and the firm if the data being transmitted to the third party organization were compromised.
**** Is it necessary for the third-party organization to access the data transmitted – assess whether the third party requires the information it can access for a business purpose.
^ Third-party security – If the third party has access to PII or firm sensitive information, you should take steps to consider the security of the third-party’s systems. In the absence of an ability to make an assessment, you should attempt to obtain a
reliable assessment of the third-party’s security protections such as its most recent SSAE 16 report. The SSAE 16 report is an internal control report on the services provided by a service organization providing valuable information that can be used to
assess and address the risks associated with an outsourced services.
^^ Isolate – You should consider if the third party access to information is limited to information it requires for business reasons and the third party should be prohibited from accessing other information.
^^^ Remediate – You should consider the risk severity level and your resources and make a risk assessment of whether any remediation is necessary which could include denying access to the third party, conducting a security review of the third
party, or isolating the third party’s access to information it needs for a business purpose.

Remediation
Manage Vendors and Customer Access Checklist

Remediation Needed?
Activity Yes/No Yes/No Remediation Steps Remediation Status
Pre-contract due diligence on

vendors
Ongoing due diligence of

existing vendors
Assure vendor only has access to

parts of system it needs
Ex-vendors/customers' access
terminated immediately
Customer's access is limited to

customer's data
Does Contract Address (Y/N):
Non-disclosure agreements and

confidentiality agreements
Data storage, retention, delivery,

and encryption
Breach notifications
Right-to-audit clauses
Vendor employee access

limitations
Use of subcontractors
Vendor obligation upon contract

termination

Remediation
Security processes initiated by

the vendor (e.g., acquire copy of
SSAE 16 Report-Reporting on
Controls at a Service
Organization)
Section 4- Protect: Information Assets
* Password Protection
Installed and Password ** Malware/Anti- ^ List other protections
Location (e.g., Network Risk Severity
PII or Firm Sensitive Data Virus Protection (e.g., firewalls used to
Drive, Systems Folder, Email) Level (H/M/L) Reset From Default Installed (Y/N)? protect assets)
(Y/N)?
Group Level Example: Customer

Account Information Network Drive High
Granular Example: Customer SS# G Drive High
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
(Y/N)?
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
(Y/N)?
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
(Y/N)?
0 0 0
0 0 0
0 0 0
0 0 0
Directions on inserting new rows: Select a row in orange and right-click on the row number; choose "Insert." Reminder: you will need to copy the formula from that Section
existing orange row and choosing copy, then selecting the new row(s) and right-clicking and choosing paste.
* Password protection – Are the systems where you store, use, or transmit PII or firm sensitive data password protected? If so, have you reset from the default password?
** Malware/anti-virus protection – Do you install and regularly update malware or anti-virus software?
^ Other protections – Do you use other protections like firewalls to protect information?
^^ Remediate – You should conduct a risk assessment of the strength of the protections considered with the assigned risk severity level, together with your resources and co
include stronger password requirements, installing malware or anti-virus protections or other system protections).
(Y/N)?
Do you have a process in place defining and implementing a password policy, educating users and regularly updating malware
and anti-virus software?
Remediation Needed?
Remediation
Yes/No Yes/No Remediation Steps Status
Password Strength Policy
Frequency of Password Change

Policy
Multi-Factor Authentication
Training Employees on Password

Hygiene
Anti-Virus Regularly Updated Policy
Malware Regularly Updated Policy

nancial records) electronically?
^^ Remediation Needed?
Remediation
Remediation
Remediation
Remediation
from that Section into the newly created row(s). Do this by right-clicking on an
efault password?
ur resources and consider whether protections should be enhanced (e.g.,

Remediation
4) Do you have assets that if lost or made inoperable would impact your firm's operations (e.g., trading or order managements
Section 5- Protect: System Asse
*** Password Protection Malware/Anti-Virus
** Risk to Firm if System Installed and Password ^Protection
* System Installed
is Inoperable (H/M/L) Reset From Default (Y/N)?
(Y/N)?
* System Installed
(Y/N)?
* System Installed
(Y/N)?
* System Installed
(Y/N)?
List system assets that are important to your operations (e.g., trading or order management systems or systems maintaining cu
* Systems – List systems where assets reside.
** Risk to firm if system is inoperable – Assess risk of how important a loss of the asset would be to your firm’s operations.
*** Password protection – Is access to the asset password protected? If so, have you reset from the default password?
^ Malware/anti-virus protection – Do you install and regularly update malware or anti-virus software? Or have firewalls?
^^ Regularly scheduled backups– Do you have regularly scheduled backups to restore critical data or systems should they be
^^^ Remediate – You should conduct a risk assessment of the strength of the protections considered with the assigned risk o
protections should be enhanced (e.g., include stronger password requirements, installing malware, anti-virus protections or fir
considerations.
ng or order managements systems)?
- Protect: System Assets
^^^ Remediation Needed?
^^ Regularly
Scheduled Backups
(Y/N)? Remediation
^^ Regularly
Scheduled Backups
(Y/N)? Remediation
^^ Regularly
Scheduled Backups
(Y/N)? Remediation
^^ Regularly
Scheduled Backups
(Y/N)? Remediation
or systems maintaining customer account information):
your firm’s operations.

default password?
e? Or have firewalls?
r systems should they be lost in a cyber-incident?
d with the assigned risk of the system being inaccessible, together with its resources and consider whether
nti-virus protections or firewalls, or regularly schedule backups). See Recovery section in this checklist for other
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records) electronically?
Section 6- Protect: Encryption

** Is data encrypted *** Is data
* Is Data when shared encrypted when ^ Has data been
Risk Severity Level encrypted in
PII or Firm Sensitive Data Location internally and at rest archived to masked when
(H/M/L) transit to external within the system backup media displayed (Y/N)?
sources (Y/N)?
(Y/N)? (Y/N)? Remediation
Group Level Example:

Customer Account Information Network Drive High
Granular Example: Customer

SS# G Drive High
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0

sources (Y/N)?
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0

sources (Y/N)?
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0

sources (Y/N)?
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0

sources (Y/N)?
0 0 0
0 0 0
0 0 0
0 0 0
Directions on inserting new rows: Select a row in orange and right-click on the row number; choose "Insert." Reminder: you will need to copy the formula from that Section into the newly created row(s). Do this by right-
clicking on an existing orange row and choosing copy, then selecting the new row(s) and right-clicking and choosing paste.
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it.
Have you taken steps to encrypt the data?
* Encrypted in transit to external sources – Data can be a shared in many ways including an email to someone external to the firm, over the internet, and between client and a server, between two servers, between two
networks etc. If the firm prohibits PII from being transmitted to external sources, the firm should note this in the remediation steps.
** Internal use – Data is stored in many places within an organization, including on file servers, on workstations and on portable media such as thumb drives. Data is also shared internally via email between two employees,
for example.
*** Encrypted at backup – Data is often stored in a non-network or non-system media which can be lost or stolen.
^ Has it been masked when displayed – Data such as social security numbers can be masked whenever displayed to a person accessing that data.
^^ Remediate – After identifying where data is encrypted and where it is not, you should consider the risk severity level and its resources, and decide what remediation steps to take, if any, including encrypting all outgoing
emails or all emails, encrypting all PII and firm sensitive information at rest or in storage, or masking the data when it is displayed.
^ Device
Name of Employee/Independent Device Owner (Firm or * Device has access to PII and ** Risk Severity Protected/E
Device Type
Contractor Individual) Firm Sensitive Data(Y/N)? Level (H/M/L) ncrypted
(Y/N)?
^ Device
Device Type
(Y/N)?
^ Device
Device Type
(Y/N)?
^ Device
Device Type
(Y/N)?
Are permissions restricted and devices protected?

* Access to PII and firm sensitive data – Does the device have access to PII and firm sensitive data?
** Risk Severity Level – Assign a risk severity level to the PII or firm sensitive information the internal person can access considering the impact to customers and the firm if t
^ Protected/encrypted – Are devices secured with passwords? Is data encrypted if lost?
^^ Remediate – You should take into account the access to PII and firm sensitive information and the risk severity of compromise, and conduct a risk assessment of whethe
^ Device
Device Type
(Y/N)?
Are permissions restricted and devices protected?

* Access to PII and firm sensitive data – Does the device have access to PII and firm sensitive data?
** Risk Severity Level – Assign a risk severity level to the PII or firm sensitive information the internal person can access considering the impact to customers and the firm if t
^ Protected/encrypted – Are devices secured with passwords? Is data encrypted if lost?
^^ Remediate – You should take into account the access to PII and firm sensitive information and the risk severity of compromise, and conduct a risk assessment of whethe
encrypting the data and having the ability to remove all data from a device if it is lost or stolen.
Employee Devices
Ability to wipe device Only authorized
persons can
remotely if lost List Protections
download
(Y/N)? software (Y/N)? Remediation
Employee Devices
persons can
download
Employee Devices
persons can
download
Employee Devices
persons can
download
t to customers and the firm if the information were compromised.
t a risk assessment of whether to deny access to all or part of the PII or firm sensitive information, protect the information better by
Employee Devices
persons can
download
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sens
electronically?
Section 8 - Protect: Controls and Staff Training

Are the following controls implemented? If no, conduct a risk assessment on whether to remediate.
Controls Implemented (Y/N)? Risk Severity Level (H/M/L)
Ex-employees/contractors and ex-

vendors/customers access terminated
immediately?
Monitor employees' and vendors' systems
access?
*Limit administrative privileges

Staff Training
Do you define cybersecurity training needs?
Do you conduct training in regular intervals

(e.g., quarterly or annually)?
Do you develop interactive training?
Does training take into account firm specific

risks, systems and loss incidents history?
s or date of birth) or firm sensitive information (e.g., financial records)
d Staff Training
Remediation Needed?
Remediation
Section 9 - Detect: Penetration Testing
Remediation Needed?
Penetration testing in place Tested? Date tested Problems/Vulnerabilities Identified Risk Severity Level (H/M/L)
for: Remediation
External (internet)
Internal (intranet, employee

or ex-employee)
Application Specific
Consider conducting a third-party penetration test of your infrastructure or using existing staff to conduct a penetration test. Determine the scope of the systems you want tested taking into account risks and your resources. For
example, will penetration testing be limited to identifying vulnerabilities or will the penetration test attempt to obtain sensitive information from the firm? Will the test include outside threats, mainly the internet or will it also include
internal (employee/vendor) tests? Should the test be done as a surprise without letting employees or users of your system know, or should you inform them? After conducting the test, firms should identify vulnerabilities and conduct a
risk assessment of whether to remediate.
Section 10 - Detect: Intrusion

Has the firm Does the IDS have Remediation Needed?
System implemented an IDS intrusion protection Risk Severity Level (H/M/L)
(Y/N)? capabilities (Y/N)? Yes/No Remediation Steps Remediation Status
Intrusion Detection System (IDS)
You should consider having an Intrusion Detection System (IDS) which detects when there is an attempt to compromise the confidentiality, integrity or availability of your systems. Intrusion detection products are tools that can assist in
protecting a company from intrusion by expanding the options available to manage the risk from threats and vulnerabilities. Intrusion detection capabilities can help a company secure its information. The tool could be used to detect
an intruder, identify and stop the intruder, support investigations to find out how the intruder got in, and stop exploitation by future intruders. If the answer is No, you should conduct a risk assessment on whether to invest in an IDS,
and whether the IDS should have intrusion protection system capabilities.
For some background on IDS refer to https://www.sans.org/security-resources/idfaq/what_is_id.php.
A very simple, but effective method for the firm to detect vulnerabilities is to inform staff to report suspicion of intrusion to the person who manages the firm's technology assets. This could be in the form of a hotline or email. For
example, if a staff person receives a phishing email and notes it as such, they should contact someone at the firm who can take action to prevent an intrusion before a colleague clicks on the link.
Are the following controls implemented? If No, assess the risk of not having the controls and decide whether to remediate.
Remediation Needed?
IDS Controls Yes/No Yes/No Remediation Steps Remediation Status
Do you have receive threat information

from any outside sources (e.g., Financial
Services Information Sharing and Analysis
Center (FS-ISAC))?
Do you have processes in place to triage

and act on threat information received?
Do you utilize tools to regularly

scan/monitor your systems for
vulnerabilities, secure configuration, and
current patch levels?
Do you monitor the results of these scans

and address discrepancies in a timely
manner?
Have you defined metrics for tracking the

condition of your cybersecurity controls
and reporting that condition to your senior
executives in a manner they find
actionable?
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial
records) electronically?
Response Plan in Risk Severity Level Remediation Needed?
Incident
Place (Y/N)? (H/M/L) Yes/No Remediation Steps Remediation Status
Create communications plan and review

with executives. Conduct test on how
we would respond if we suffered a
Example: Ransomware Attack No High Yes ransomware attack. In Process
Incident
Prepare incident responses to which you are most likely to be subject. The response should include a communication plan to notify your senior executives who need
to know about the incident. Firm senior executives should decide how to contain and mitigate the breach. You should run through different types of incidents you may
suffer and plan how you would respond. Firms should prepare incident responses for those types of incidents to which the firm is most likely to be subject, e.g., loss of
customer PII, data corruption, denial of service (DoS) or distributed denial of service (DDoS) attack, network intrusion, customer account intrusion or malware
infection. Types of responses to consider include: full or partial shutdown of systems, disconnect system from the network, delete and reinstall malware, or disabling a
user from system access. You can add to or delete from the list as appropriate to your business.
Firms should also refer to the FINRA Firm Checklist for Compromised Accounts.
For a compilation of state law requirements concerning breach notifications click this link.
FBI Contact List
Incident
Secret Service Contact List
Identifying relevant stakeholders who you should consider notifying of a breach

Law Third-Party Information
Incident Type Customers Regulators Enforcement Industry Sharing Organizations
Example: Ransomware Attack
0
Incident
Metrics
Activity/Governance Yes/No
Do you maintain a list of cybersecurity

incidents? (i.e., phishing, stolen device,
etc.)
Have you created a dashboard to track

creative patch coverage, anti-virus
coverage, and the number of employees
who have taken training and other
proactive defensive measures?
Do you review customer complaints and
potential cyber-related activity?
Do you share metrics with your CEO and
COO?
Do you prioritize allocation of
cybersecurity resources?
Do you communicate with senior

executives on cybersecurity and
outstanding risks?
5) If your systems, PII or firm sensitive information were made inoperable or stolen, would you need to recover them to conduct business?
Section 12- Recovery
In recovery, administrators restore systems to normal operation, confirm that the systems are functioning normally, and remediate vulnerabilities to prevent similar incidents.
If the answer to one of the below questions is No, firms should conduct a risk assessment and decide whether to invest in the process to remediate.
Remediation Needed?
Risk Severity
Controls
Level (H/M/L)
Remediation
Yes/No Yes/No Remediation Steps Status
Do you have regularly scheduled backups to restore

critical data or systems should they be lost in a cyber-
incident?
Is it possible for you to rebuild systems from scratch

should it be necessary?
Do you have a plan to replace compromised files with

clean versions?
Do you have a plan to install patches, change passwords

and tighten network should a cyber-incident take place?
Have you considered that once a resource is successfully

attacked, it is often attacked again, or other resources
within the organization are attacked in a similar manner
and that heightened system logging and network
monitoring should be implemented?
Cybersecurity Summary Report
Firm Name: 0
Person(s) Responsible for Cybersecurity Program: 0
Last Updated: December 30, 1899
Cybersecurity Summary Report: This report consolidates your responses from sections 1-12 and can be used understand where your cybersecurity risks are, where you may need to dedicate budget
and resources to remediate, and where you can choose to accept the risk. This report may also be useful for executive and board level updates. The report includes 10 responses per section. If you
would like to add more rows please contact us at memberrelations@FINRA.org. Note you can filter your report by clicking on the down arrow on the column you would like to sort, check the boxes
for the data you want to display, then click okay.
Cybersecurity Function Firm Asset Risk Need to Remediate? Remediation Status

1 Section 2 - Identify and Assess Risks: Minimize Use Group Level Example: Customer Account Information High 0 0
1 Section 2 - Identify and Assess Risks: Minimize Use Granular Example: Customer SS# High 0 0
1 Section 2 - Identify and Assess Risks: Minimize Use 0 0 0 0
2 Section 3 - Identify and Assess Risks: Third Party 0 0 0 0
3 Section 4 - Protect: Information Assets Group Level Example: Customer Account Information High 0 0
3 Section 4 - Protect: Information Assets Granular Example: Customer SS# High 0 0
3 Section 4 - Protect: Information Assets 0 0 0 0
Firm Name: 0

4 Section 5 - Protect: System Assets Example: PeopleSoft Medium Yes In Process
4 Section 5 - Protect: System Assets 0 0 0 0
5 Section 6 - Protect: Encryption Group Level Example: Customer Account Information High 0 0
5 Section 6 - Protect: Encryption Granular Example: Customer SS# High 0 0
5 Section 6 - Protect: Encryption 0 0 0 0
6 Section 7 - Protect : Employee Devices 0 0 0 0
Firm Name: 0

7 Section 8 - Protect: Controls and Staff Training *Limit administrative privileges 0 0 0
7 Section 8 - Protect: Controls and Staff Training Monitor employees' and vendors' systems access? 0 0 0
7 Section 8 - Protect: Controls and Staff Training Do you define cybersecurity training needs? 0 0 0
Do you conduct training in regular intervals (e.g., quarterly or
7 Section 8 - Protect: Controls and Staff Training annually)? 0 0 0
7 Section 8 - Protect: Controls and Staff Training Do you develop interactive training? 0 0 0
Does training take into account firm specific risks, systems and loss
7 Section 8 - Protect: Controls and Staff Training incidents history? 0 0 0
Ex-employees/contractors and ex-vendors/customers access
7 Section 8 - Protect: Controls and Staff Training terminated immediately? 0 0 0
8 Section 9 - Detect: Penetration Testing External (internet) 0 0 0
8 Section 9 - Detect: Penetration Testing Internal (intranet, employee or ex-employee) 0 0 0
8 Section 9 - Detect: Penetration Testing Application Specific 0 0 0
9 Section 10 - Detect: Intrusion Intrusion Detection System (IDS) 0 0 0
10 Section 11 - Response Plan Example: Ransomware Attack High Yes In Process
10 Section 11 - Response Plan 0 0 0 0
Do you have regularly scheduled backups to restore critical data or
11 Section 12 - Recovery systems should they be lost in a cyber-incident? 0 0 0

Smallfirm Cybersecurity Checklist

Uploaded by

Copyright:

Available Formats

Smallfirm Cybersecurity Checklist

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Smallfirm Cybersecurity Checklist

Uploaded by

Copyright:

Available Formats

CYBERSECURITY

Checklist for a Small Firm's Cybersecurity Program

Last Updated: (FINRA's last update) Version 1.1 December 2016

National Institute of Standards and Technology (NIST) Cybersecurity Framework

Using this checklist is optional:

How to print current section (tab):

How to print all sections (Entire Workbook):

How to save my excel file:

Section 1 - Identify and Assess Risks-Inventory

Section 2 - Identify and Assess Risks-Minimize Use

Section 3 - Identify and Assess Risks-Third Party

Section 4 - Protect-Information Assets

Section 5 - Protect-System Assets

Section 7 - Protect-Employees Devices

Section 8 - Protect- Controls and Staff Training

Section 9 - Detect-Penetration Testing

Section 11 - Response Plan

Group Level Example: Customer Account Information Network Drive

Granular Example: Customer SS# G Drive

ert row(s) on Section 1, remember to

nic storage (include your branch

Section 2- Identify and Assess Risks: Minimize Use

** Business objective can be

Group Level Example: Customer Account

Granular Example: Customer SS# G Drive High

Section 2- Identify and Assess Risks: Minimize Use

** Business objective can be

Section 2- Identify and Assess Risks: Minimize Use

** Business objective can be

Section 2- Identify and Assess Risks: Minimize Use

** Business objective can be

Section 2- Identify and Assess Risks: Minimize Use

** Business objective can be

that Section into the newly created row(s). Do this by right-

consider whether you can do your business without storing the

Section 3- Identify and Assess Risks: Third Party

^ Have you assessed the

Section 3- Identify and Assess Risks: Third Party

^ Have you assessed the

Section 3- Identify and Assess Risks: Third Party

^ Have you assessed the

Section 3- Identify and Assess Risks: Third Party

^ Have you assessed the

Manage Vendors and Customer Access Checklist

Pre-contract due diligence on

Ongoing due diligence of

Assure vendor only has access to

Customer's access is limited to

Non-disclosure agreements and

Data storage, retention, delivery,

Vendor employee access

Vendor obligation upon contract

Section 3- Identify and Assess Risks: Third Party

^ Have you assessed the

Security processes initiated by

Section 4- Protect: Information Assets

Group Level Example: Customer

Granular Example: Customer SS# G Drive High

Section 4- Protect: Information Assets

Section 4- Protect: Information Assets