Cyber and Information Security Policies.
altPILOT develops tailored cyber security and information security policies and procedures, consistent with a NIST framework as applicable and appropriate for our clients. The NIST Cybersecurity Framework is based upon five functions: Identify, Protect, Detect, Respond, and Recover. Depending upon organizational capabilities and identified risks, policies developed by altPILOT may include:
Physical devices, software platforms and applications
Access Control Policy
Account Management/Access Control Policy
Identification and Authentication Policy
Security Assessment and Authorization Policy
Resources
Information Classification Policy
Cybersecurity roles and responsibilities
Acceptable Use of Information Technology Resource Policy
Cyber Risk management processes
Risk Assessment Policy
Third-party risk management
Systems and Services Acquisition Policy
PROTECT
Identities and credentials
Authentication Token Policy
Configuration Management Policy
Identification and Authentication Policy
Sanitization Secure Disposal Policy
Remote access
Remote Access Policy
Network integrity
Wireless Network Security Policy
Mobile Device Security Policy
System and Information Integrity Policy
Awareness and Training
Personnel Security Policy
Physical and Environmental Protection Policy
Security Awareness and Training Policy
Data Security
Encryption Policy
Information Security Policy
Maintenance Policy
Media Protection Policy
Patch Management Policy
Maintenance
Maintenance Policy
Communications and control networks
System and Communications Protection Policy
DETECT
Anomalies, events and network monitoring
System and Information Integrity Policy
Vulnerability Scanning
RESPOND
Response plans
Computer Security Threat Response Policy
Cyber Incident Response Policy
RECOVER
Recovery Planning
Contingency Planning Policy
Vulnerability Testing and Assessment.
altPILOT will conduct [2] point-in-time vulnerability tests and assessments on Customer’s environment. Vulnerability testing will cover information technology (IT) assets including network devices, mobile devices and operating systems. Written assessments will identify specific vulnerability types, malware and ransomware, vulnerabilities by host, and recommendations for remediation.
Penetration Testing.
altPILOT will conduct [1] point-in-time penetration tests of the Customer’s external network, focused on discovering and exploiting external assets and services to simulate what an attacker would do to compromise Customer’s systems or gain access to Customer’s internal resources. altPILOT will schedule its penetration testing to minimize disruption to the Customer’s infrastructure and will typically be scheduled during non-business hours of the Customer. Identified penetration results will be provided to Customer in a written report.
III. Phishing and Social Engineering Testing[2]. altPILOT will conduct [4] simulated phishing engagements to evaluate employee identification of attempted phishing and increase Customer’s awareness of such activities. The characteristics of phishing engagements will be determined based upon criteria determined by altPILOT and may include targeted phishing or firmwide simulations. Each phishing engagement will include a non-malicious attempt to collect information and will provide feedback and awareness to employees who correctly or incorrectly identify this attempt. Following each campaign, altPILOT will provide analysis of the campaign and recommendations on improvements over time.
IV. Cyber and Information Security Training. altPILOT will provide [1] cybersecurity awareness training session to influence behavior, focusing on employee actions that can mitigate threats and vulnerabilities of Customer’s information systems. altPILOT’s training will provide an overview of cybersecurity threats and best practice to keep information and information systems secure. The training will also reinforce best practices to protect non-public personal financial information and personally identifiable information (PII) of the Customer’s clients.