On May 23rd, the Office of Compliance Inspections and Examinations (OCIE) released a risk alert clarifying 2019 exam priorities regarding the protection of “network storage devices”.
The OCIE is reporting to have found the following deficiencies during recent examinations:
- Misconfigured network storage solutions.
- Inadequate oversight of vendor-provided network storage solutions.
- Insufficient data classification policies and procedures.
The OCIE offers the following guidance to address this risk:
- Policies and procedures designed to support the initial installation, on-going maintenance, and regular review of the network storage solution.
- Guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly.
- Vendor management policies and procedures that include, among other things, regular implementation of software patches and hardware updates, followed by reviews to ensure that those patches and updates did not unintentionally change, weaken, or otherwise modify the security configuration.
Xantrion can help you stay in compliance with services ranging from strategic IT planning to security controls mapped to common compliance frameworks. Contact us for more information.