The 18-month transitional period for the NYDFS (New York Department of Financial Services) Cybersecurity Requirements ends on September 3, 2018, bringing with it five more compliance deadlines. Among these is section 500.06: Audit trails, which mandates that organizations:
- Design systems that can “reconstruct financial transactions sufficient to support normal operations and obligations”
- “Include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of [their] normal operations”
- Maintain records of their systems for at least five years, and of their audit trails for at least three years
Why do you need an audit trail?
Audit trails provide a chronology of an organization’s transactions. Auditors can use the information to trace financial records from a ledger to the source document (such as a receipt or invoice). This enables them to easily confirm that the organization is managing financial information appropriately or to find areas of non-compliance.
An audit trail can also be used to create historical reports, plan budgets, investigate crime, and manage risk.
The NYDFS refers to ‘material harm’ throughout the Cybersecurity Requirements, but it doesn’t define the term. It essentially means any time that business operations are affected, and is dependent on the extent to which the confidentiality, integrity and availability of information is harmed.
You will need a more comprehensive definition than this when designing your audit trail. We recommend seeking legal counsel, and asking for a written explanation of the term. You should include this in your documentation, so you can demonstrate to the NYDFS that your audit trails meet the standards of professional guidance.
Audit trails should be created in line with the findings of your risk assessment, which you were required to complete by March 1, 2018. However, it’s not too late to do it now, although you will need to act quickly. That probably means seeking expert help.
One way to speed up the process is to use vsRisk™. The risk assessment software tool simplifies the assessment process, providing a simple and fast way to identify relevant threats and create repeatable, consistent assessments year after year.
The NYDFS and ISO 27001
Once your risk assessment is complete, you should turn your attention to the big picture. The next set of deadlines is the last, and that means getting yourself into a position where you can maintain compliance. The NYDFS doesn’t provide much guidance on what organizations should do, but its requirements are very similar to the international standard for information security, ISO 27001. The Standard lists everything that organizations should do to stay secure, and there are plenty of resources to help individuals understand its requirements.
Training courses are probably the best option, as you can learn a great deal in limited time. Many courses also give individuals the opportunity to gain a qualification, which demonstrates that they have the appropriate knowledge.
IT Governance offers several ISO 27001 training courses, but if your focus is on audit trails, we’d recommend our ISO27001 Certified ISMS Lead Auditor Online Masterclass.
This four-and-a-half-day course was developed by ISO 27001 experts Alan Calder and Steve Watkins, and draws on their industry-leading implementation guide, IT Governance: An International Guide to Data Security and ISO27001/ISO27002. It uses a combination of formal training, practical exercises, and case studies, helping you understand:
- Best-practice audit methodology
- How to use audits to monitor conformance to the Standard, ensure consistent implementation, and assess the effectiveness of continual improvement
- The practical application of ISO 27001 audit processes