Organizations within the scope of the NYDFS (New York Department of Financial Services) Cybersecurity Requirements have been preparing for legislation a few requirements at a time over the past 18 months. September 3, 2018 marks the penultimate set of deadlines, with organizations required to meet the following:
500.06: Audit trails
Systems must be designed to “reconstruct material financial transactions sufficient to support normal operations” after a security incident. They must also include audit trails that detect and respond to incidents that “have a reasonable likelihood of materially harming any material part of the normal operations.”
500.08: Application security
A cybersecurity program must be implemented that includes “written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house development applications […] and procedures for evaluating, assessing or testing the security of externally developed applications.”
The organization’s CISO (chief information security officer) must regularly review, assess, and update this documentation.
500.13: Limitations of data retention
There must be a system in place for regularly disposing of sensitive information. It should be formally documented with policies and procedures.
500.14(a): Training and monitoring
Policies, procedures, and controls must be created that detail how the organization intends to monitor employees’ activity to detect unauthorized access to or use of sensitive information.
Organizations’ training programs, outlined in clause 500.14(b), should have been completed, as it fell under the March 1, 2018 deadline.
500.15: Encryption of non-public information
A risk assessment should be carried out to determine what controls are needed to secure sensitive information. The most effective control is encryption, but this won’t always be feasible. In such instances, alternative methods should be proposed to the CISO.
Meeting the requirements
The NYDFS doesn’t provide much information on exactly how organizations should comply with the legislation. Fortunately, most of its requirements align with the best practices described in ISO 27001. Organizations can use the Standard as the basis of the NYDFS Cybersecurity Requirements compliance project.
If you haven’t yet conducted a risk assessment in line with the Cybersecurity Requirements, you might also be interested in vsRisk™. You will need to perform a risk assessment to meet many of the NYDFS’ requirements, and Vigilant Software’s tool helps simplify the process. It provides a simple and fast way to identify relevant threats, and delivers repeatable, consistent assessments year after year.
vsRisk’s integrated risk, vulnerability, and threat database eliminate the need to compile a list of potential risks, and the built-in control helps you comply with multiple frameworks.