NYDFS Cybersecurity Requirements: Monitoring employees

The one-year transition period for the New York State Department of Financial Services (NYDFS) Cybersecurity Requirements ended on March 1, 2018, and with it came the first set of compliance deadlines. If your organization met all those requirements in time, well done, but there’s little time to celebrate, as there are five more requirements to meet by September 3, 2018.

This blog focuses on requirement 500.14(a), which mandates that organizations implement policies, procedures, and controls to monitor employees and detect insider threats.

Are you prepared?

A 2017 study by SANS Institute found that 43% of respondents ranked malicious insiders as their biggest concern. Part of the problem is that insider incidents are so hard to anticipate – any employee with access to sensitive information could be a risk. However, there are ways to make it harder for malicious insiders:

  • Implement access controls to limit the amount of information any one employee can view
  • Log who has accessed sensitive documents and files. This gives employers evidence of misuse, and acts as a deterrent
  • Create strict password policies. If a malicious insider accesses a colleague’s account, they can avoid access controls and frame someone else for the misuse. There is a lot of different advice about creating strong passwords, but at the very least they should be unique to each account and never written down
  • Revoke employees’ access after they leave the organization. Many attacks are instigated by those who hold a grudge against their employer. This is typically because they have been fired, although they might have some other motive, and conduct the attack after quitting

Implementing each of these individually is tricky, so you might benefit from adopting ISO 27001, the international standard that describes best practices for an information security management system (ISMS). The Standard helps organizations manage all their security practices in one place, consistently and cost-effectively, and makes them easier to maintain and review.

Our ISO 27001 Cybersecurity Documentation Toolkit provides templates for all the documents you need to comply with the Standard, including policies, procedures, work instructions, and records.

The templates are aligned with the NYDFS Cybersecurity Requirements, and allow you to:

  • Become your own expert with professional guidance
  • Work from ISO 27001-compliant documentation that is accurate and aligned with the Standard
  • Embed the documentation in your organization quickly and easily
  • Demonstrate to customers and stakeholders that you are committed to the security of your information and data assets

Take a free trial of our ISO 27001 Cybersecurity Documentation Toolkit >>