HCM Defender publishes best practices for the industry based on latest NIST frameworks (RMF, PRM, CSF) and industry best practices adapted to industry. Using a NIST+ model provides a nationally consistent model and alignment for potential future regulations while adding specific areas HCMs need to meet to be safer.

Specific standards are being put in place that will impact the HCM industry. An example is the DOL/EBSA Guidelines for 401k providers, which can act as a guide to improving cybersecurity across the industry. This might lead to future certification programs to help provide assurances to customers and insurers about the validity of cyber programs.

These guidelines include:

• Formal documented program
• Conduct prudent annual risk assessment
• Annual audit of security controls
• Define responsibilities within organization
• Strong access control procedures
• Cloud-based data third party services are subject to assessment
• Periodic training
• Manage secure lifecycle program
• Business continuity and incident response plan
• Encryption of data stored and in transit
• Technical controls
• Appropriately respond to cyber security incident

The following is a list of best practice areas for which HCM Defender has developed and by which leaders can use to learn and progress:

• Third party audits and risk analysis
• Hardware and software configuration and an ongoing plan for infrastructure upgrades
• Governance policies
• Contract terms with vendors
• Work From Home security model
• Internal employee data/IP theft protection
• Incident response program
• Employee security training and testing model

It is the goal of HCM Defender to help guide those in the industry in implementing industry best practices around cybersecurity, including the above.