The 18-month transitional period for the NYDFS (New York Department of Financial Services) Cybersecurity Requirements ends on September 3, 2018, bringing with it five more compliance deadlines. We recently discussed the requirements concerning audit trails, but we now turn our attention to section 500.13: Limitations of Data Retention.
This requirement mandates that organizations implement policies and processes to safely dispose of sensitive information when there is no longer a business reason or legal requirement to keep it. Successfully complying with this requirement therefore relies on three things:
- Maintaining records that enable you to see why you are storing information
- Creating a way to pull records when they are no longer needed
- Ensuring that information is safely disposed of
Why is this necessary?
Data breaches are a major headache for organizations, whether they are caused by criminal hackers, malicious insiders, or negligent employees. Cyber defenses can help reduce the number of attacks, but can’t prevent them altogether. That’s why it’s important to look for ways to mitigate the damage that breaches cause, and the simplest solution is to reduce the amount of information that you hold. The less information there is, the less that can be breached. It’s obvious when you think about it.
This concept is recognized in most cybersecurity laws and frameworks, so advice on data retention should be easy to find. The best place to start is ISO 27001, the international standard for information security. The Standard is ideal because it doesn’t only provide guidance on data retention. Rather, the entire framework aligns with the NYDFS Cybersecurity Requirements. You can therefore use ISO 27001’s requirements as the basis of your NYDFS compliance project.
Learn more about ISO 27001
At the heart of ISO 27001 is its requirements for an ISMS (information security management system), which provides a central nervous system for managing sensitive data. You will need to understand how to implement and maintain an ISMS in order to comply with ISO 27001 and, by extension, the NYDFS Cybersecurity Requirements.
Our ISO 27001 Certified ISMS Lead Implementer course teaches you everything you need to know to put in place an effective ISMS. Real-world practitioners will show you how to tackle an ISMS project from start to finish, including:
- How to determine the scope of your ISMS based on the requirements of ISO 27001
- Developing a management framework
- How to allocate roles and responsibilities
- How to carry out an information security risk assessment
- Writing policies and producing other critical documentation
- How to manage and drive continual improvement under ISO 27001
- How to prepare for your ISO 27001 certification audit