Summit Ridge Cybersecurity Strategy and Approach
Summit Ridge deploys a multifaceted security program with its security foundation based on highly reliable global cloud cybersecurity service providers (such as Microsoft), highly recognized and relied-upon cybersecurity protocols, and the Summit Ridge Written Information Security Program. Summit Ridge designed its security system to protect the confidentiality, integrity, and availability of our personal and client information from internal and external threats and vulnerabilities.
We support our security efforts by using and complying with various cybersecurity protocols. Summit Ridge’s foundational cybersecurity framework is the well-known and regarded Center for Internet Security 20 Control (“CIS-20”). Summit Ridge implemented CIS-20 Controls, Version 7.1, Implementation Group 3 (the highest level). The CIS-20 Controls map to most major cybersecurity compliance frameworks such as the NIST (National Institute of Standards and Technology) Cybersecurity Framework, NIST 800-53, and ISO 27000 series. SRG also relies on the FINRA (Financial Industry Regulatory Authority) Small Firm Cybersecurity Checklist to conduct assessments on security vulnerabilities using a third-party security consultant. The FINRA Small Firm Cybersecurity Checklist draws from the NIST Cybersecurity Framework and FINRA’s Report on Cybersecurity Practices. Additionally, Summit Ridges supplements the CIS-20 and FINRA Small Firm Cybersecurity checklist with other benchmarks and advice from industry experts. These Summit Ridge measures include:
- Appropriate policies, standards, guidelines, and program management
- Strong technical security controls
- A security compliance program involving security reviews, certifications and audits
Summit Ridge has deployed a clearly defined security strategy and roadmap that considers the following:
- Data protection: legal, regulatory and procedural requirements
- Business security processes: mandated procedures and requirements
- Technology and cloud-service selection: policies, standards and procedures
- Researching fast-evolving external and internal cybersecurity threats in the cybersecurity landscape
- A security incident management program using a combination of regular manual assessments and cloud-service delivering automated audits to control and remediate security-related incidents effectively
The Summit Ridge WISP
Our data security policy is formulated in our written information security program (“WISP”) document to ensure that Summit Ridge implements robust cybersecurity methods and procedures to protect the critical confidential data we are responsible for managing. Summit Ridge designed the WISP to comply with leading guidelines regarding data security and protection of information to which Summit Ridge’s authorized users, including employees, independent contractors, consultants, or third-party vendors, may have access.
Training and awareness: With cyber hackers’ constant and evolving attack methods, Summit Ridge works to educate its team and make it aware of potential cybersecurity vulnerabilities by routinely providing information, guidance, and training. Summit Ridge regularly raises awareness of possible threats to data privacy and information security and considers such training as a dynamic and continuous process. Summit Ridge takes cybersecurity education very seriously. This is evidenced by regular updates and required training sessions for Summit Ridge professionals to drive security awareness for all Summit Ridge systems and data. All Firm employees, independent contractors, consultants, and third-party vendors are required to take appropriate measures and make commercially reasonable best efforts to preserve, protect, and safeguard confidential client information and personally identifiable information. They are required to provide immediate notice of attempted or successful security breaches to Summit Ridge management.
Summit Ridge employee training and testing includes:
- Access control processes
- Asset management: classification and control
- Communications and operations security
- Human resources security of employee data
- Information systems acquisition, development, and maintenance
- Physical and environmental security
- Risk assessments for physical and electronic data
- Regular cybersecurity training for all employees
- Regular external intrusion penetration testing to uncover weaknesses
- Membership with Center for Internet Security (“CIS”)
- Engaging outside consultants to advise on potential improvements and to identify possible vulnerabilities to our network or internal processes
Technical Security Controls: Security by Design
Summit Ridge invests considerable time and resources to ensure that we use the latest, new security systems. For example, these include the top mobile device management systems from Microsoft and other vendors, which automatically update workstation computers and other devices. Summit Ridge’s approach to information security relies upon the WISP in combination with using highly respected cybersecurity services delivered by cloud vendors, such as Microsoft, for maintaining the confidentiality, integrity, and availability of documents and data and for protecting computer assets. These measures include, for example:
- Highly secure cloud-storage designed to allow collaboration with clients and to transfer data securely
- Intrusion detection and prevention technologies
- Robust physical, environmental, network, and perimeter controls
- Clean desk policy requiring employees to leave no work papers on their desks at the end of the day
- Locked cabinet policy requiring confidential papers and computers to be in locked cabinets at the end of the day
- Computer screens closed when not in use
- Shredding policy requiring employees to shred all confidential paper documents after use
- Encryption of all computers and mobile devices
- Desktop and laptop firewalls
- Enforced prohibition by software preventing the use of external USB and other memory devices
- Antivirus and antimalware software installed on all devices
- Multifactor authentication (“MFA”) solutions for login on cloud-services
- Automated patching and security vulnerability assessments
- Monitoring and detection systems
We invest time and resources researching new cybersecurity protocols and services that align with our information cybersecurity strategy, client requirements, and network design. This properly positions Summit Ridge to address issues that might threaten the confidentiality, integrity, or availability of our data.
Disaster Recovery Program
Summit Ridge is committed to protecting its people, computer data, cloud data, business processes, applications, and data before, during, and after a catastrophic event. Summit Ridge carefully plans and tests disaster response and system recovery procedures for critical applications. The Summit Ridge disaster recovery methodology uses the following:
- Business impact analyses related to catastrophic events affecting Summit Ridge
- Mission-critical disaster recovery plans built on network designs and carefully selected cloud services
- Regular testing of disaster recovery plans to verify operational readiness
- Client data stored on cloud-based servers, such as Microsoft, meeting highly respected security ratings including ISO 27001, NIST and FedRAMP
- Using cloud storage, cloud-based communication services, laptop computers, and smartphones allows all employees to work out of the office with unimpeded access to systems and data
- Summit Ridge actively monitors the use of cloud-based applications, allowing for redundant data storage and minimizing the locations in which data is stored
- All computing devices, including laptop computers and smartphones, are controlled and monitored with advanced mobile device management (“MDM”) technology to lock or disable the devices, or to deleted data should one be lost or stolen.
Internet and Communication: Summit Ridge internet services are provided by major internet service providers and terminate in Summit Ridge offices on an enterprise-level gateway. VPN service is available for all mobile devices allowing for secure use when on third-party Wi-Fi.
Summit Ridge’s business telephone communication is delivered by a major VoIP provider compliant with NIST 800-53, FISMA (Federal Information Security Management Act), SOC 2 (System and Organizational Controls). The VoIP system serves Summit Ridge offices and is installed on all employee smartphones and laptops.
Summit Ridge uses Microsoft 365 Enterprise Outlook email, which is secured and protected from phishing and malware exploits by technologies including Microsoft Defender. We send highly confidential documents and emails through Protected Trust and MS Outlook encryption systems.