A Layered Approach to

Cybersecurity
an Eze Castle Integration eBook

Visit: www.eci.com | Call: US: +1 800 752 1382

UK: +44 207 071 6802
A Layered Approach to Cybersecurity
When it comes to protecting your investment firm from serious cybersecurity threats, Tier 0: This is the must-have
it's safe to say that less is definitely not more. In fact, it takes a pretty heavy arsenal of list. There is no getting around
security measures to combat the ever-growing threats targeting your firm from both these security measures.
the inside and the outside.
Tier 1: This tier incorporates a
But it may not be realistic for your firm to employ every cybersecurity technology/tool few enhanced features as well as
and develop and maintain a host of security policies - at least not from day one. a strong contingency of policies
to support your cybersecurity
program. Plus and heres the
This eBook is designed to help you assess some of the cybersecurity protections that
big one we keep talking about
should be on your list. Youll notice weve divided them by tiers, because, well, youll
employee security awareness
need to decide how much of your time, budget and resources are spent protecting
training. Tier 1 is typically where
your firms assets.
most investment management
firms fall today.

Tier 2: This can be considered an

advanced tier, with the
incorporation of progressive
tools such as intrusion
detection/prevention systems
and next-generation firewalls.
But this is quickly becoming the
norm for mid-to-large asset
managers, particularly as a
means to demonstrate
preparedness to institutional
investors.

2 | A Layered Approach to Cybersecurity

Visit: www.eci.com | Call: US: +1 800 752 1382
UK: +44 207 071 6802
 Tier 0 (Basic)
We call this level Tier 0 in part because, well, theres zero chance your firm will have
long-term success in thwarting cyber risks if you dont employ these basic security
measures.

Perimeter & Network Security Access Control Measures

Firewalls Secure Remote

Anti-virus Software Access (e.g. via
Software Patching/ Citrix)
Patch Management

Policies & Procedures Employee/User Behavior

Separation of Strong
Administrative Non-default
Access/Principle of Password
Least Privilege Enforcement
Acceptable Use
Policy

Visit: www.eci.com | Call: US: +1 800 752 1382

Eze Castle Integration | 3
UK: +44 207 071 6802
Perimeter & Network Security

At a minimum, your investment firms should install firewalls,

anti-virus software and patch management software to
protect your perimeter and stop low-level threats and spam Tier 0 Requirements:
from entering your network.
Firewalls
The firewall, as controlled by the network administrators
managing IT for your firm, monitors and controls the Anti-virus Software
incoming and outgoing traffic on your network.
Software
Software patch management is best practice to prevent Patching/Patch
Management
vulnerabilities from appearing within software applications.
Particularly as zero-day threats grow in popularity, software
patching should be part of your firms daily IT management.

4 | A Layered Approach to Cybersecurity

Visit: www.eci.com | Call: US: +1 800 752 1382
UK: +44 207 071 6802
Access Control Measures

We live in a technology-empowered world, and if your

employees work outside of the office (on location, at
home, etc.), you need to ensure they have effective and Tier 0 Requirements:
SECURE means to do so. Citrix is a great option for
secure remote access and allows end users to log in to Secure Remote
access applications on-the-go. Access
(e.g. via Citrix)
Virtual Private Networks (VPN) also offer secure remote
access for employees, allowing employees to remote
desktop and run any and all applications that live on the
work computers server.

5 | A Layered Approach to Cybersecurity

Visit: www.eci.com | Call: US: +1 800 752 1382
UK: +44 207 071 6802
Policies & Procedures

The policy layer of cybersecurity is often overlooked, but

provides a much-needed backbone for your firms cyber
risk management program. If you employ no other policies Tier 0 Requirements:
from the start, your first policy to create should dictate the
Acceptable Use of your employees with regard to network Separation of
access, system logins, Internet usage, etc. Administrative
Access/Principle of
Your firm should also employ the principle of least Least Privilege
privilege, meaning only those who need access to certain
systems and data should have access to it. Acceptable Use Policy

6 | A Layered Approach to Cybersecurity

Visit: www.eci.com | Call: US: +1 800 752 1382
UK: +44 207 071 6802
Employee/User Behavior

Your users themselves will round out your cybersecurity

defense strategy (always remember: people, processes,
technology), and the most basic way to control user Tier 0 Requirements:
security behavior is with strong password enforcement.
Ensure your firms employees are prompted at least every Strong Non-default
90 days to change their passwords and use strong Password
combinations of upper and lowercase letters and special Enforcement
characters.

Consider also requiring specific parameters around

password development and use, such as not allowing
personal information (names, birthdates) within passwords
and not allowing passwords to be reused within a certain
time frame.

7 | A Layered Approach to Cybersecurity

Visit: www.eci.com | Call: US: +1 800 752 1382
UK: +44 207 071 6802
 Tier 1 (Standard)
The good news is that many investment management firms today fall into the Tier 1
category, meaning they are doing more to address cybersecurity risks than just the
basics. Youll notice this tier features a strong contingency of policies that help firms
prepare for and respond to cybersecurity and business-impact threats.

Additionally, Tier 1 does more to address network security and highlights the need for
ongoing employee information security awareness.

Perimeter & Network Security Access Control Measures

Enhanced Email Mobile Device

Security Security
Network Access /Management
Control

Policies & Procedures Employee/User Behavior

WISP Regular/Annual
BCP Cybersecurity
Incident Response Training
Policy

Visit: www.eci.com | Call: US: +1 800 752 1382

Eze Castle Integration | 8
UK: +44 207 071 6802
Perimeter & Network Security

If youre a Tier 1 firm, youre expanding your network

security beyond the standard firewalls and anti-virus
software to include more comprehensive network access Tier 1 Requirements:
control. Plus, since email is oftentimes the gateway into a
Enhanced Email
firms network (more on phishing later), enhanced email Security
security features are a must to safeguard sensitive Network Access
information. Control

Growing in popularity, these features often include targeted

attack protection, attachment scanning and encryption.

Tier 0 Requirements:

Firewalls
Anti-virus Software
Software
Patching/Patch
Management

9 | A Layered Approach to Cybersecurity

Visit: www.eci.com | Call: US: +1 800 752 1382
UK: +44 207 071 6802
Access Control Measures

With our growing reliance on mobile devices for

business, its become critical for firms to develop mobile
device policies and employ mobile device management Tier 1 Requirements:
(MDM) solutions which allow administrators to provision,
secure and support company-sanctioned smartphones Mobile Device
and tablets. Security/Management

Particularly if your firm is of the bring your own device

(BYOD) kind, you need to ensure there are clear
protocols and guidelines for employee access to
Tier 0 Requirements:
company/client information.

Secure Remote
Access
(e.g. via Citrix)

10 | A Layered Approach to Cybersecurity

Visit: www.eci.com | Call: US: +1 800 752 1382
UK: +44 207 071 6802
Policies & Procedures

We mentioned this was a policy-heavy tier, but these IT

security policies are truly the backbone to a solid and
comprehensive cyber program. Tier 1 Requirements:

Written Information
The written information security policy (WISP) should Security Plan (WISP)
break down what and where your firms confidential data is Business Continuity
and who has access to it. Your Business Continuity Plan Plan (BCP)
(BCP) outlines how your business will continue to operate Incident Response
Policy
in the event the firm is impacted by a cyber-threat.

And your Incident Response Policy will go into deeper

detail on how to respond to cybersecurity issues, including
Tier 0 Requirements:
what steps to take to remediate the situation and
how/when to notify clients/third parties. Separation of
Administrative
Access/Principle of
Least Privilege
Acceptable Use Policy

11 | A Layered Approach to Cybersecurity

Visit: www.eci.com | Call: US: +1 800 752 1382
UK: +44 207 071 6802
Employee/User Behavior

Arguably the most important and yet underrated

aspect of your firms cyber preparedness, training and
educating your employees is critical to the success of your Tier 1 Requirements:
organizations security efforts. Technology and systems can
only do so much to address threats. Regular/Annual
Cybersecurity Training
Your employees, however, can act as your first line of
defense against cyber-attacks, but unfortunately, their
efforts will only be effective if they are properly trained on
both potential threats and the firms policies and Tier 0 Requirements:
procedures.

Strong Non-default
Password
Enforcement

12 | A Layered Approach to Cybersecurity

Visit: www.eci.com | Call: US: +1 800 752 1382
UK: +44 207 071 6802
 Tier 2 (Advanced)
If youre thinking only the largest and most tech-savvy investment firms are in Tier 2
youre only half-right. Yes, youll often find mid-to-large asset managers fall into this
category, but many of these advanced protections are fast-becoming the norm for
smaller firms hoping to demonstrate to institutional investors their commitment to
cybersecurity. And through IT outsourcing, these firms are able to leverage managed
service providers to add strategic value to their businesses without having to
manage these advanced technologies on their own.

*For EU firms, many of these protections will soon be mandated by the GDPR and will
likely go into effect by early 2018.

Perimeter & Network Security Access Control Measures

Next-Generation Multi-factor
Firewalls Authentication

Advanced Technologies Employee/User Behavior

Intrusion Detection Phishing

/Prevention Simulation
Storage Encryption Exercises
Data Loss
Prevention

Visit: www.eci.com | Call: US: +1 800 752 1382 Eze Castle Integration | 13
UK: +44 207 071 6802
Perimeter & Network Security

The latest and greatest network security technology you

should employ? Next-generation firewalls. These take the Tier 2 Requirements:
benefits of traditional, port-based firewalls to the next
level, and allow firms to filter network traffic by application Next-Generation
and implement additional security protocols to keep Firewalls
harmful traffic at bay.
Tier 1 Requirements:
Some advantages to next-generation firewalls include:
Enhanced Email
All-in-one functionality Security
Greater visibility and control Network Access Control
Simplified management
Better security
Lower total cost of ownership Tier 0 Requirements:

Firewalls
Anti-virus Software
Software
Patching/Patch
Management

14 | A Layered Approach to Cybersecurity

Visit: www.eci.com | Call: US: +1 800 752 1382
UK: +44 207 071 6802
Access Control Measures

One of the most effective ways a firm and its users can
ensure security is through the use of multi-factor Tier 2 Requirements:
authentication, which requires users to verify credentials in
some form to ensure they are, in fact, who they say they Multi-factor
are. This hot tech trend is growing in popularity, and many Authentication
firms are now employing for access to cloud services, for
example.
Tier 1 Requirements:
There are three types of multi-factor authentication:
Mobile Device
Knowledge-based (e.g. security questions) Security/Management
Possession-based (e.g. cryptocard, authentication app on
mobile device)
Inherence-based (e.g. fingerprint, biometric scan)
Tier 0 Requirements:

Secure Remote
Access
(e.g. via Citrix)

15 | A Layered Approach to Cybersecurity

Visit: www.eci.com | Call: US: +1 800 752 1382
UK: +44 207 071 6802
Advanced Technologies

Being the advanced tier, Tier 2 features some progressive

systems and technologies that many of todays investment Tier 2 Requirements:
management firms are starting to leverage. Intrusion
detection and prevention systems can be costly, but add a
convincing layer of security to an existing cybersecurity Intrusion
program, with the ability to monitor networks and prevent Detection/Prevention
threats from penetrating them.
Storage Encryption
(Data at Rest)
Additionally, the encryption of data at rest is becoming a
top priority for security-focused firms, as well as data loss Data Loss Prevention
prevention software that aims to prevent end users from
sending sensitive information outside of a firms network.

16 | A Layered Approach to Cybersecurity

Visit: www.eci.com | Call: US: +1 800 752 1382
UK: +44 207 071 6802
Employee/User Behavior

If you consider your firm security-focused, then you

probably also realize the critical role your employees play Tier 2 Requirements:
in securing your firm and safeguarding its information. To
ensure employees realize their importance and act as well- Phishing Simulation
informed users, many firms are conducting phishing Exercises
simulation exercises to test and train users to identify
potentially malicious email threats.
Tier 1 Requirements:
These managed phishing tools are relatively inexpensive in
nature and often include in-the-moment security Regular/Annual
awareness training to reinforce many of the key concepts Cybersecurity Training
employees should be aware of.

Tier 0 Requirements:

Strong Non-default
Password
Enforcement

17 | A Layered Approach to Cybersecurity

Visit: www.eci.com | Call: US: +1 800 752 1382
UK: +44 207 071 6802
 About Eze Castle Integration
Eze Castle Integration is a leading provider of IT solutions, managed cloud
services and cybersecurity to more than 650 alternative asset management
firms around the globe. Our Managed Services portfolio includes:

Private Cloud Managed Platform

Managed Suite | Managed Infrastructure | Managed DR | Hosted Voice

Cybersecurity Solutions & Training

Managed Security Solutions | Active Threat Protection | Managed
Phishing/Training | Cyber Consulting Services & Policy Development

Business Resiliency & Contingency Planning

Disaster Recovery | Business Continuity Planning | Backup & Recovery |
Email & IM Archiving

Outsourced Technology Services

IT Support | Staff Augmentation | Global 24x7x365 Help Desk

Contact Us Today
Visit: www.eci.com | Call: US: +1 800 752 1382
UK: +44 207 071 6802

Boston | Chicago | Dallas | Hong Kong | London | Los Angeles | Minneapolis | New York | San Francisco | Singapore | Stamford