Windows 10, Vendor Due Diligence, and Reg S-P

Windows 10 Upgrade Due Diligence for Investment Advisers and Broker Dealers

Why are we talking about upgrading workstations and laptops in a blog that, to date, has focused pretty heavily on IT Issues and Regulatory Compliance? It’s not that we’re changing our focus. It’s that you, as a CCO need to be expanding yours. We’ve written for the better part of a year on how the Chief Compliance Officer of an RIA or BD, regardless of its size, needs to be involved in the IT decision-making process – and one of the largest decisions facing all businesses today surrounds upgrading to Windows 10, especially given concerns of privacy and information sharing. The management of both infrastructure and application changes and corresponding Service Level Agreement statements, including any related to privacy and confidentiality, should be considered within your Vendor Management Program. Keep in mind that Vendor Management is one of the six focus items of the 2015 SEC Cybersecurity Examination Initiative. Managing the largest Vendors and conducting due diligence of these untouchable monsters is one of the major challenges we hear from our client base. The vetting of changing language and statements from your cloud-based vendors is important, especially when the changes may impact client and sensitive company information.

There are certainly issues beyond those of privacy and security that a company must consider before updating an operating system across their entire company. Technology issues, including compatibility with existing software, may preclude updating at all. These are issues that your IT staff or consultant should be addressing in any information security meeting that discusses vendor management, change management, the upgrade cycle. But, if there are no technology-based concerns, then you as the CCO should be prepared to discuss privacy and security and ensure that a clear plan exists to incorporate these concerns into your upgrade cycle. But where should you start and what do you NEED to know to be properly engaged in this conversation?

End Of Life Dates

Before you even begin the discussion of upgrading to Windows 10, it makes sense to have an understanding of the End-Of-Life dates for popular operating systems out there:

Windows XP – Support Ended April 8th, 2014.
Windows Vista – Support Ends April 11th, 2017.
Windows 7 – Support Ends January 20th, 2020.
Windows 8 – Support Ends January 9th, 2023.
These are major milestones for all businesses, and I would recommend that you as the CCO put these in your calendar with reminders set 6 months before the expiration date. This should give you enough time to ask your IT department or Consultant if any affected systems are in place at your organization and what the upgrade path is to retire them.

So, unless you have a demonstrated business need to upgrade to Windows 10 – which may exist for reasons of system uniformity – you can take the option securely, of kicking the proverbial can down the road a ways. However, most new systems are shipping with Windows 10 preinstalled, so unless your IT team wants to downgrade, you will have to face Windows 10 sooner rather than later.

Privacy and Security Concerns

Most of the concern that we see surrounding Windows 10 is that it “is spying on almost everything you do.”[i] This rather vague and sensationalist headline is moderately true, but there are things that you can do to lock down Windows 10 and to prevent the unintended dissemination of data.

Why Does It Matter?

Windows 10 is built in a fundamentally fashion from previous Operating Systems. That is, it is designed to work as both a local system and in a cloud-based fashion. The attachment of so many cloud services is theoretically an enhancement for all of us who work across multiple systems and locations. But there are some built-in concerns – specifically that it can be hard to figure out just what you’re sharing, why, and with whom. The devil here is really in the details, or in this case, Microsoft’s Privacy Statement which reads:

“Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary.”

“Rather than residing as a static software program on your device, key components of Windows are cloud-based. … In order to provide this computing experience, we collect data about you, your device, and the way you use Windows.”[ii]

I should note that, in this instance, Microsoft is not alone and all major service providers and manufacturers have language that is similar.

This sharing is what poses the real risk and we can be sure that if there were an enforcement pertaining to it the SEC would look directly to Rule 30 of Reg S-P:

…written policies and procedures must be reasonably designed to…[i]nsure the security and confidentiality of Customer Records and Information…

How can your P&P reasonably insure security and confidentiality if you’re not entirely sure what you’re sharing to begin with?

Compliance Steps:

Before beginning any update or rolling out Windows 10, take a look at the privacy settings available with Windows 10 and make a policy decision with respect to how you and your company will handle these settings. You should never use the Express settings, which enable all sharing features by default. Walk through each of the individual privacy controls and make a decision regarding each.

We would recommend documenting your reasoning and then ensuring that the settings you, your IT staff, and your Information Security Committee as a whole have agreed to are uniformly applied. Don’t let one computer have one list of settings, and a different machine have another.

WiFi Sense:

The greatest specific privacy concern that people have been asking us about surrounded “WiFi Sense”. Some users feared the service would share their WiFi passwords (including those for corporate networks) with facebook friends, skype contacts, and the like. While there are some concerns here, Microsoft has recently announced that it is doing away with the feature in an pending upgrade.[iii] WiFi Sense will, however, continue to connect to “any open hotspots that it knows about through crowd-sourcing.”

As we all know that connecting and doing work on unsecure public wifi connections is not a great idea, we recommend that you disable WiFi sense at a matter of course.

Bonus Steps:

When you are in the process of upgrading machines, you have an excellent opportunity to add additional security measures. As you are working through the process consider the following:

Whole Disk Encryption – For laptops and Microsoft Surface products that have a higher risk of loss or theft, encryption of data is especially important and has become somewhat easier with Windows 10. Many new systems are shipping with “Device Encryption” enabled, but it will only encrypt the device if you sign in with a Microsoft Account.

For most business users, BitLocker encryption will still be the way to go. If you haven’t yet deployed encryption on high-risk systems, now could be a great time.

Enforce Storage Policies – If your company by policy doesn’t allow users to store information on their local drives – the update cycle can provide an excellent time to validate those controls or to enforce them.

Conclusion:

Windows 10 does represent a change in how the CCO must view the technology his or her company is using on a daily basis. But, as with most things, it boils down to common sense. Effective policy & procedure as well as coherent action will make your business as secure as possible. Weigh every decision that you make from a regulatory and a security standpoint and from a common-sense one and you likely will do well. Windows 10 of its own accord is nothing to fear, just make sure you control its rollout and use.

Not Sure Where To Start? Learn More About an Information Security Assessment from Artemis!