WIDEPOINT CORP 10-K Cybersecurity GRC - 2024-03-26

Page last updated on April 11, 2024

WIDEPOINT CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-26 16:47:26 EDT.

Filings

10-K filed on 2024-03-26

WIDEPOINT CORP filed an 10-K at 2024-03-26 16:47:26 EDT
Accession Number: 0001654954-24-003664

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our Board of Directors (Board) oversees the management of the risks inherent in the operation of the Company s business, principally through the Governance Committee. Our Governance Committee oversees our risk management efforts, with cybersecurity being an element of our comprehensive Enterprise Risk Management (ERM) strategy. Our executive officers report information to the Board through the Governance Committee regarding the risks that impact the organization, including cybersecurity risks, and any material events. 26 Our cybersecurity framework utilizes the following National Institute of Standards and Technology (NIST) standards: NIST SP 800-34, Rev 1, “Contingency Planning Guide for Federal Information Systems,” November 2010 NIST SP 800-37 Rev. 2, “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy,” December 2018 IST SP 800-53, Rev. 5, “Security and Privacy Controls for Information Systems and Organizations,” September 20, 2020, updated December 10, 2020 NIST SP 800-61, Rev 2, “Computer Security Incident Handling Guide,” August 2012 Our approach to cybersecurity aims to protect the confidentiality, integrity, and availability of the data we handle. This process involves measures to identify and prevent cybersecurity threats and mechanisms to mitigate and respond to cybersecurity incidents. Risk Management and Strategy Our cybersecurity program, a pivotal component of our overarching ERM framework, concentrates on several key areas: Collaborative Approach : We employ a holistic, cross-functional strategy to identify, prevent, and mitigate cybersecurity threats. Our approach includes rapid escalation protocols for specific cybersecurity incidents, enabling timely decision-making on public disclosure and reporting by management. Technical Safeguards : We utilize advanced technical safeguards to defend our information systems. These include firewalls, intrusion prevention and detection systems, anti-malware tools, and stringent access controls. Continuous vulnerability assessments and leveraging cybersecurity threat intelligence ensure these safeguards remain practical and up to date. Incident Response and Recovery Planning : Our comprehensive incident response and recovery plans are designed to manage the aftermath of cybersecurity incidents. Regular testing and evaluation of these plans ensure preparedness and resilience. Third-Party Risk Management : Recognizing the significance of external threats, we have implemented a risk-based strategy to manage cybersecurity risks associated with third parties, such as vendors and service providers. This strategy extends to these third parties’ systems, which, if compromised, could impact our operations. Education and Awareness : We understand the importance of informed personnel, so we conduct mandatory, regular training on cybersecurity threats. This training aims to equip our staff with the necessary tools to confront these threats effectively and disseminate updates on WidePoint’s evolving information security policies, standards, processes, and practices. 27 We are committed to maintaining robust cybersecurity defenses through regularly evaluating and improving our policies, standards, processes, and practices. This commitment is actualized through a diverse array of assessment and testing activities, which include: Comprehensive Audits and Assessments : We conduct audits and assessments to scrutinize the efficacy of our cybersecurity measures. Tabletop Exercises and Threat Modeling : Engaging in tabletop exercises and threat modeling allows us to simulate and prepare for potential cybersecurity scenarios, ensuring readiness and adaptability. Vulnerability Testing : Vulnerability testing is performed to proactively identify and address potential security weaknesses. External Evaluations : We regularly commission third parties to conduct in-depth assessments to ensure an unbiased and comprehensive evaluation. These include information security maturity assessments, audits, and independent reviews of our information security control environment and its operational effectiveness. Based on the insights gleaned from these assessments, audits, and reviews, we dynamically adjust and refine our cybersecurity policies, standards, processes, and practices to continuously enhance our cybersecurity posture. By engaging in these rigorous and diverse testing and assessment activities, we verify the current effectiveness of our cybersecurity measures and identifies areas for continual improvement, ensuring our defenses evolve in line with the dynamic nature of cyber threats. Executive Experience and Qualifications Our CEO, CFO, each with over thirty (30) years of risk management experience, and the COO with over twenty (20) years of experience including cybersecurity, possess deep expertise in their respective fields, evidenced by their academic qualifications and professional trajectories. This collective experience underpins our robust approach to managing cybersecurity risks. In addition, we have numerous employees with experience and qualifications related to cybersecurity. We expect to name a Chief Information Security Officer during 2024 as part our cybersecurity program. Our executive officers are responsible for informing the Board and Governance Committee of any material cyber events or risks. Cybersecurity Threats are discussed in ITEM 1 A. RISK FACTORS, under the heading RISKS RELATED TO PRIVACY, CYBERSECURITY AND TECHNOLOGY in this Annual Report on Form 10-K. We are not aware of any material cybersecurity incidents in the past that have materially affected or are reasonably likely to affect us, including our business strategy, results of operations or financial condition. 28

Company Information