Once we have defined the two types of information sets I would like to highlight the data/IT security policy applied in the mutual fund distribution company I have been working for since 2007.
The company's mission is to select the best US asset managers for a given asset class within the equity arena, to create a mutual fund structure (Luxemburg umbrella funds) which is a sort of a "nutshell" for the given strategy and to distribute the product outside of the US (mainly Europe). Because of that focus on distribution only portfolio strategy information remains with the chosen asset manager in their company site and with the custodian in Luxemburg. It does not come through the Miami office and there is no need for specific security measures.
However all client data - existing and prospect - are stored in Miami and needs to be secured. In order to do that, the following features have been implemented:
Inside security:
All company employees have unique user names and passwords to access the email server. Most people have different editing rights for the software used to store the information (read only, modify, contribute etc)
Daily backups are performed on the company server (inside the building).
Information on existing clients is displayed in another software program than information about prospect clients (which is managed in a CRM software called ACT). Only one person has access to create new contacts or edit contacts in that database).
Outside security:
A strong firewall has been installed on the company server in order to prevent attacks from outside users.
An off-site backup server has been installed in case of any potential disruptions (hurricane etc)
Information on buy/sell transactions of fund certificates from clients are communicated by Fax only. The daily transaction report about subscriptions/redemptions or distribution of gains is sent electronically on a daily basis by the Luxemburg management company through a password protected file.
Among the company's employees one administrative assistant is responsible for managing the data. She is helped by a MIS (Management Information System) person who takes care of the security of the information
An external data hosting service has been hired in order to protect the data that is displayed on the Website. The overall responsibility for data and information security remains with one of the 3 founding partners of the firm.
Despite the above mentioned security measures, there are too many open "wholes" in my opinion that would allow outsiders to access the data. The ACT database that includes more than 600 names, phone numbers, contact details and also contact history of potential clients is simply password protected. But can be downloaded by any employee on their personal computer and eventually used for another firm that individual might be working for in the future.
So far no information leak has been observed and no client data was criminally used by outsiders to the firm. Also since 2001 no major disruption happened which would have forced the company to use the back up server. However I do believe that there should be more training offered to employees about the sensitive nature of the data and the danger in loosing it to competitors. Not only government agencies (such as the IRS) are interested in the detailed portfolio structures of potential clients but also any other asset management or distribution firm. Since I have been working with this company (3 years ago) no formal training session has been performed to create awareness.
Outside security:
No comments:
Post a Comment