Tag Archive: Compliance


sticky-notes-to-do-listAround this same time last year, many of us said our final goodbyes to Windows XP and Exchange 2003.  This year, Microsoft’s latest End-Of-Life (EOL) event – along with good sense – will force most of the firms that are still using Windows Server 2003  to replace it with a newer version of the Windows Server operating system (OS).  July 14th, 2015 marks the end of extended support for the 2003 product line – after that date, there won’t be any more security updates.

For those unfamiliar with the issue this raises, compliance regulation and standards related to private information and security dictate that firms must keep up-to-date with regular patches to the software and hardware that powers their businesses.  Your firm’s Written Information Security Program (WISP) should detail a policy of adherence to these standards, among many others, and in there somewhere you have almost certainly indicated that you are keeping your systems updated with respect to security.

Like Windows XP, Windows Server 2003 has been around long enough and really should be replaced, so there is not much point in delaying the switch.  Most firms have likely changed over to Windows Server 2008 or 2012, but those that haven’t made the change yet should be planning on upgrading their server(s) in Q2 of 2015.

 

rackAlternatives to Windows 2003?

Assuming your firm is committed to Microsoft Server products, you have two choices:

1. Windows Server 2008 r2 (2008)

2008 is a mature operating system, which is still in use at a large number of firms today. However, mainstream support for 2008 ended earlier this year (1/13/2015), and though extended support is available until 1/14/2020, it probably doesn’t make sense to move from 2003 to 2008 in 2015. Firms that have existing 2008 software licenses may not want to incur the additional expense of 2012 licenses, and those with significant compatibility concerns may opt to install Windows 2008 on new server hardware.

2. Windows Server 2012 r2 (2012)

2012 is the latest and greatest from Microsoft. It has a shiny new interface and a bevy of neat features like deduplication. My experience with 2012 has been overwhelmingly positive. Though worries about 2012 compatibility with legacy applications may delay widespread acceptance of this operating system, many firms will ultimately choose to make the switch to 2012.

What happens if we stay on Windows 2003?

Your server will still work, but you will not get any more security updates from Microsoft, and your firm will technically be out of compliance.

What else could happen?

Software companies and other parties your firm interfaces with will assume that you are making these updates.  Your firm’s failure to upgrade to a later version of Windows Server could cause problems that you and your staff may not be able to anticipate.

As an example of this, one of my clients that was slow to upgrade all of their Windows XP systems last year found that the latest version of Orion’s desktop software, which was automatically updated sometime in Q1 of 2014, was incompatible with Windows XP.  Unfortunately for the client, there wasn’t a way to reverse the update or use an older version.

At the time, I was surprised, especially because the customer wasn’t given any notice of the “feature enhancement.”  It didn’t make sense that a software company would launch an update incompatible with existing customer desktops that were still supported by Microsoft.  Thankfully, Orion addressed the issue quickly by providing the users affected with remote desktop (RDP) connections to Orion servers for an interim period.

About the Author: Kevin Shea is the Founder and Principal Kevin Shea Impact 2010Consultant of Quartare; Quartare provides a wide variety of technology solutions to investment management and financial services firms nationwide.

For details, please visit Quartare.com, contact Kevin Shea via phone at 617-720-3400 x202 or e-mail at kshea@quartare.com.

iStock_000021815840XSmallAll things change – even things at the SEC.   Previously, investment managers could upload text (aka ASCII) files detailing their holdings to Edgar.  This quarter, a change was made, requiring the file to be formatted in XML.  Investors have 45 days from the end of the quarter to file their 13F reports, so Q2 reports are due today.

Some users that attempted to get these reports done earlier in Q3 expressed frustration with the XML issue and their ability to get more proactive assistance from Advent to address it.  Last week, as the filing deadline approached, Advent reached out to clients, alerting them of the change and directing them to an ASCII to XML conversion tool to facilitate the process.  In my own experience with Advent’s support team, I found them both helpful and knowledgeable in regard to the 13F reporting issues.

Though Advent’s documentation states that the 13F report and conversion tool requires Axys 3.8.5 or higher, the report from Axys 3.8.5 worked fine when we used it on Axys 3.7 with a client.  APX users can use the same utility.  The utility was simple to use and worked well;  the biggest challenge for users is finding the file they need to convert.

The 13F reporting mechanism is functional, but the setup seems cryptic and disjointed.  First-time users expecting a turn-key, intuitive solution will be disappointed.  Fortunately, the details of what is required to produce 13F reports are well-documented in Advent’s help file.

How 13F Reporting Works…

By default, the 13F report only includes the equity asset class.   It is possible to exclude individual securities through the use of the 13F.est file, but it is not possible to include individual securities.  Additional asset classes may be added.  Report-specific labels must be added to the 13F portfolio file to make the report work properly.

When the supporting files are properly configured, the report produces detailed holdings and simultaneously generates an inftable.txt file with the same information.  This file is placed in the specific user folder (i.g. f:\axys3\users\amy) of the person running the report on the network version of Axys or the root folder of Axys on the single-user version of Axys.  When users have generated a 13F report without missing data or error messages, they are ready run to the conversion utility to produce the inftable.xml file and upload the information to the Edgar site.

This quarter, running and filing 13F reports was more challenging than it has been in the past, since users were forced to correctly implement the 13F report in order to successfully generate an XML file.  Based on my experience with users, this was something they had not been doing in the past.  Most users would run the report to get something close to what they needed and then manually modify the text file, rather than keep all of the information updated in the 13F portfolio and 13F.est files.  Going forward, the process will still require that new securities and relevant asset classes be classified specifically for the 13F report, but future report runs should be simpler.

For more info on 13F reporting, refer to the SEC’s document detailing Frequently Asked Questions (FAQ).

About the Author: Kevin Shea is President of InfoSystems Integrated, Inc. (ISI); ISI provides a wide variety of outsourced IT solutions to investment advisors nationwide.

For details, please visit isitc.com, contact Kevin Shea via phone at 617-720-3400 x202 or e-mail at kshea@isitc.com.

Compliance demands vis‐à‐vis the SEC, Gramm‐Leach Bliley, and most recently emerging local regulations like Massachusetts 201 CMR 17.00, require a significant investment of resources in terms of both time and capital to meet the ever‐growing regulations associated with doing business in the information age. In this article, we summarize the requirements of 201 CMR 17.00, which went into effect March 1, 2010.

Many businesses across the nation are looking closely at the law that Massachusetts implemented with the concern that similar legislation will soon be coming their way. In a nutshell, Massachusetts’ new law dictates that businesses nationwide take appropriate steps to protect the privacy of Massachusetts residents’ Personal Information (PI) according to their ability to do so. As such, the right solution for a small business may not be acceptable for a large business ‐ if a more robust solution exists at a higher, yet affordable, cost for the larger business.

The new law charges businesses with the responsibility of protecting this consumer data from being lost or stolen, and may seem redundant to those familiar with the best practices from preexisting government regulations and industry standards. Companies need to know what they are up against. The threats are real. It is amazing that we have not heard more in the news about the security of private records being compromised.

The level of vigilance required to establish and maintain a secure environment at the workplace would surprise many. In truth, the only absolutely secure PC is one that is locked away out of physical reach and not connected to the Internet. The best security is established through a combination of proactive measures, and is still dependent on appropriate reactive responses to would‐be hackers.

In an effort to make our checklist easier to digest, we have broken it into the four fundamental areas addressed by the law: updates, attentiveness, policy and documentation, and encryption. In the remainder of this article we take a closer look at the specific requirements of these areas.

Updates
1. Apply operating system patches and software updates on a timely basis.
2. Reasonably current versions of Antivirus and Antispyware must be installed and updated regularly.
3. The software portion of your firewall should be kept reasonably up to date.

Attentiveness
4. Monitor your firewall and take appropriate actions when merited.
5. Perform an annual security audit.
6. Take reasonable steps to verify that third parties with access to Personal Information (PI) protect it.

Policy & Documentation
7. Create a Written Information Security Program (WISP); appoint a person at your firm to manage the program, and detail disciplinary actions associated with non‐compliance by employees.
8. Create secure user authentication protocols, strict control of user IDs and passwords.
9. Any inactive employees should be removed from systems immediately.
10. Educate and train all employees about security.
11. Limit access to PI to those who specifically need it.

Encryption
12. Encrypt email that contains PI (defined as a person’s name with any one or combination of the following: driver’s license, social security number, financial account number, debit/credit account number, or state issued identification number).
13. Encrypt all remote access connections.
14. Encrypt backup media, notebook hard drives, portable hard drives, and all removable media that contain PI.

Updates
Downloading and applying recent security updates to your operating system and primary applications is an integral component to keeping hackers at bay. It is alsoa relatively low tech item that most users can take care of by themselves. Unfortunately, an occasional bad update can bring all productivity on your system to a screeching halt. This was the case with Windows XP SP3 where, in some instances, users who installed it lost their Internet connectivity. Professional IT consultants are aware of the potential issues new updates to workstations and servers can raise. We recommend controlling the updates through Windows Server Update Services (WSUS) or opting to perform the updates manually in smaller offices.

Perhaps the authors of Massachusetts’ new law also recognized that all new updates should not necessarily be installed immediately. Ergo, the language indicatesthat systems should be reasonably up to date.

Your IT vendor should be qualified to determine exactly when updates must be applied, but if you go to the www.windowsupdate.com site and find that there are over twenty security updates to install on your PC, you should not consider your PC “reasonably” up to date. Antivirus definitions need to be downloaded and applied regularly. Antivirus images are released bytheir software providers nearly everyday and sometimes more frequently. You can usually check your update by clicking on the Antivirus client program that sits on your taskbar in the lower right hand corner of your computer screen.

Keeping your firewall software reasonably up to date and security rules relevant is paramount to the security of your systems. However, only firewall patches that have been vetted by your IT staff should be installed. A bad firewall update can cause more harm than good.

Attentiveness
You will need to allocate extra resources towards maintaining and monitoring these required standards. Your firewall should be configured to log all suspicious activity, but to properly manage the security of your systems someone needs to review the logs on a regular basis and take corrective actions when required. Though the law requires an annual audit of your security policy the reality is that it should receive much more frequent attention and amendments. Your firm is also expected to verify that third parties with access to PI can protect it.

Policy & Documentation
Your Written Information Security Program (WISP) should spell out the policies related to keeping PI private. A person at your firm must be appointed to manage the program. Since most Massachusetts businesses have already created a WISP, you can find samples online via Google.

Secure user authentication protocol (such as limiting the number of login attempts before locking out users) are expected to be in use at your firm. In addition, passwords need to be kept private and relatively complex. If everyone at your office knows each other’s passwords, you definitely need to change your policy.

When employees or contractors become inactive, their accounts must be promptly removed from your system. Educating your users is a critical aspect of securing your enterprise. Malware, for example, can be accidentally loaded by employees who do not recognize it.

Due to their size, small firms may have difficulty limiting data access to employee subgroups, but larger companies should not have as much trouble with this requirement.

Encryption
Encrypting remote access connections can be done by standardizing on Logmein, GotoMyPC, or a combination of VPN and Remote Desktop or Terminal Services.

Notebook hard drives containing PI must be encrypted. Though it is possible to buy new equipment with encrypted hard drives, you may find it easier on the wallet to purchase hardware encrypted thumb drives and enforce a policy that forbids users from saving private information on their notebook hard drives.

Likewise, any removable media such as backup tapes and/or hard drives must be encrypted. These drives are relatively inexpensive. So being a small company with limited resources will not be a valid reason for not taking care of this.

To meet the email encryption requirements for sending PI, some larger companies may elect to address the issue by encrypting all email. Smaller firms may selectively encrypt emails containing PI via Adobe Acrobat. In a perfect world, all of your clients would have a class 1 digital certificate or better and email encryption would be simplified.

If your firm performs Internet vaulting of your data, double check the encryption settings, and use 256‐bit encryption or higher if possible.

This article was originally published in the Advent Users Group Newsletter in 2010. It is an interpretation of the technology issues related to the new law. To review all of the requirements, refer to the PDF link on the mass.gov web site: www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

About the Author:
Kevin Shea is President of InfoSystems Integrated, Inc. (ISI). ISI provides a wide variety of outsourced IT solutions to investment advisors nationwide. For details, please visit www.isitc.com. You can also contact Kevin Shea via phone at 617‐720‐3400 x202 or e‐mail kshea@isitc.com.