Cybersecurity Pre-Risk Assessment

LPL Cybersecurity Risk Assessment

Advisor Information Security Team • AdvisorInfoSec@lplfinancial.com

General Info – Please list your office name and location.

Example: •John Doe •1234 Main Street Executive Drive •AnyTown, CA 12345

Employee Names and Titles

Include any internal IT support or staff.

Online presence: please list any web facing applications or external social media presence you may have.

Example: Website, LinkedIn, Facebook, Twitter etc.

Office Layout – Please explain the layout of your office. Be sure to include how many rooms your office might have and their purpose.

Example: •1 Conference room •Main lobby •Storage room

Do you have a secondary or home office where LPL business is conducted or sensitive information is stored?

Yes

Office Network – List network names and security types used.

Example: •Wi-Fi name: Spectrum375A •WPA/WPA2, WEP, Radius, etc.

Home Network - List network names and security types used.

Example: •Wi-Fi name: Home1 •WPA/WPA2, WEP, Radius, etc.

Estimated total number of devices connected to the network

To include wired and wireless devices such as laptops/desktops, tablets, and mobile devices, cameras, etc.

Modem / Router Location

Example: •Router located in personal office •Modem is located in telecommunications closet

Please list any enterprise devices and locations of where the device(s) are stored.

Example: routers, firewalls, servers (both physical/virtual), etc.

Physical Storage Security – Are all file cabinets and drawers that contain PII kept locked? Please list what physical storage you use to store documents that contain PII.

Example: •Yes all containers are locked and only I have access to key. •I have 2 Filing cabinets •I use my desk drawers to store documents as well.

Third party service providers (TPSP)

Do you work with any external TPSPs or vendors (this includes an IT provider)?

Yes

Is there an ongoing formal process to vet, document, and review Third Party relationships?

This includes an IT provider.

Yes

Non-Employee Access

Do any non-employees have access to your office? Example: •Cleaning crew comes every night. •Landlord. •Building manager has access to everyone’s office.

Yes

List the software programs, including open source software (freeware) that may be used and contain sensitive information.

Example: •Redtail •QuickBooks •Constant Contact

Do you have any hardware or software that is no longer supported or End-Of-Life (EOL)?

Example: Windows 7/8, Big Sur OS 11, or older.

Yes

Do you have any hardware or software that is approaching EOL within 1 year?

Example: •No, I use Windows 10 professional.

Yes

Do you check your computer for any old or outdated software?

Example: No, I do not know how to check for old or outdated software.

Yes

Digital File Storage - Please list any cloud file storage or backup solutions your office may have that contain sensitive information, such as PII. If your office utilizes local servers for storage and use, who is responsible for server maintenance

Example: •Cloud Storage: Microsoft One Drive •Cloud Storage: Filevault •Local Storage: External Seagate Hard Drive •Local Storage: USB flash drive •Local Storage: NAS Server

Mobile Device Security - Do you utilize face recognition, passcode/PIN, or fingerprint reader on your devices?

Example: Yes, I have facial recognition enabled on my cell phone and a fingerprint reader on my laptop.

Yes

Password Security – what is the password policy currently in place? Do you reuse or use similar passwords? How often do you change your password?

Example: •My passwords are 8 characters minimum, I occasionally reuse passwords and I change my passwords every 6 months.

Password Management – How do you manage the passwords for your devices and online accounts?

Example: •Excel Document •Notebook locked in safe •Sticky Note •Password manager

Do you use Multi Factor Authentication (MFA) for business or accounts with sensitive information?

MFA is a security system that verifies a user's identity by requiring multiple credentials such as text message code/email code.

Yes

Email Sending Procedure

Do you or anyone in your office send emails containing PII? If so, do you use encryption?

Yes

Is there someone responsible for auditing, reviewing, and implementing policy, controls, and/or awareness training?

Yes

Do you currently have a cybersecurity awareness program?

Example: Phishing simulation program, security awareness training sessions, etc.

Yes

Antivirus Software - What Anti-Virus software do you use? Is it regularly updated?

Example: •McAfee Antivirus, auto update is on. •Avast Antivirus, auto update is off.

Do you have any tools/processes in place to detect, communicate, quarantine or respond to internal/external threats?

Yes

Encryption - Are all portable devices whole disk encrypted? (Laptops, flash drives, and portable hard drives)

Example: •Yes, I have a Seagate external hard drive. No, it is not encrypted.

Yes

Traveling - Please explain your procedures for conducting business while traveling: what devices do you use while working away from your office? Are you aware of the security risk in conducting business in public areas?

Example: •I use my laptop to conduct business while away from my office. •I use Mobile Hotspot instead of connecting public Wi-Fi. •I charge phone using available USB ports while traveling in the airport. •No, I am not aware of the risks.