Late last year the New York State of Financial Services (DFS) announced that New York would be proposing a "first in the nation" rule on cyber-security to go into effect on March 1, 2017 which would impact any bank, insurance company and anyone else covered by DFS. The rule requires any regulated company design a cybersecurity program that assesses its risks to ensure the safety and soundness of the cybersecurity protections in place with the goal of providing further protections of its customers.
In addition to laying out broader requirements around staffing, training, and audit, etc., this regulation sets minimum standards for the design of a sound cybersecurity program that addresses several dimensions of prevention, identification, remediation and validation across several technology areas.
With the growing value of financial records to hackers, this rule was meant to protect consumer data and financial systems from nation states, terrorist organizations and other criminal enterprises. In fact, just this past week the US handed out its first ever indictments to Russian spies for the breach of Yahoo.
This month, 23 NYCRR 500 went into effect and, while we can't yet say how organizations are reacting or if they are ready, we can help to prepare you for when this "first in the nation" rule becomes an "expected standard of the nation".
In order to help you prepare for meeting 23 NYCRR 500 regulations, we've put together an eBook to break down what you need to do to be compliant with several of the cyber-security sections.
Section 500.03 is broadly labeled “Cybersecurity Policy” and outlines several different solutions or processes that you should include in your security plan in order to be compliant including:
500.03 (b) Data Governance and Classification
Data governance is all about understanding and managing your critical information, even information that resides in documents, files and folders (unstructured) rather than organized in databases or applications (structured). Your employees are continuously creating new documents, folders, files, etc. on your servers and you need a way to govern who has access to it. Managing this information manually is an option and is often how it is done, however, modern cybersecurity teams are instituting automated solutions which are more effective.
One option for automation is a Data Access Governance (DAG) solution. This is an auditing, compliance and governance framework for unstructured data and critical applications that provides comprehensive data collection, analysis, categorization and remediation workflows and reporting. These solutions are automated, scalable, and interoperable with your Identity and Access Management (IAM) and HR systems and secure your data by applying a consistent permissions model and enforcing least-privileged access control.
500.3 (d) Access Controls and Identity Management
Identity and Access Management (IAM) includes informed provisioning, governance and compliance for all access within your network and applications. Much like the data governance, these solutions are put in place to make sure that only the right people have the right access to applications, servers and other areas of your network.
IAM systems are usually very complex and involve functions such as compliance reviews, provisioning, access controls, and password management. To truly fulfill this requirement, you will need an identity and access management solution which should contain:
- A portal where access can be requested, approved and managed by users for company resources such as applications, roles, entitlements, privileged entitlements, and data
- A password solution enforcing complex requirements for passwords as well as a self-service password reset and authentication solution
- A way for business users and data owners to review access to their resources in order to manage down access risk as well as comply with key compliance regulations
500.3 (g) Systems and Network Security
Systems and network security address the governance and administration needs for a company to limit access to privileged information, focus on exploitable vulnerabilities and monitor for any incidents on devices connected to your network. It is important to monitor everything that touches your network and key points of access and egress to ensure holistic security and to quickly identify when something has been compromised.
From the identity side, you need a solution that monitors access to all information but, most importantly, can monitor access to privileged information. This solution should address governance and administration needs and should be able to alert an administrator when anyone’s access is being misused.
Vulnerabilities need to be constantly monitored for and patched if they are high priority and exploitable. With a vulnerability management solution, you take the results of all of your scan data and prioritize your list of vulnerabilities by what will truly impact your business the most. By knowing what vulnerabilities are most crucial in your environment you patch and validate results using a penetration testing tool or through a third party who can test for you.
All devices connected to your network should also be monitored for malicious activity. All inbound and outbound traffic should be monitored by analyzing the behaviors and content to uncover the evidence needed to find systems that are already compromised and shut them down immediately. Looking specifically at activity and not just malware signatures will limit the chances of malware going undetected. It also helps to limit the common flood of alarm fatigue that plaques the malware detection world.