GVP Partners can help you assess your Cybersecurity Program and build a sustainable approach for everyday use and reporting. Our software can help the CIO and CISO report to the Board of Directors and other interested parties on program status in real time.
2. NYDFS – Regulation Highlights 3
NYDFS - Regulation Requirements 4-6
NYDFS – Cybersecurity Policy Coverage Areas 7
Rapid Start Maturity Assessment Process 8
Project Deliverables 9
Assessment Services 10
Assessment Process 11
Assessment Templates 12
Assessment Profile 13
BOD Report 14
Process Improvement Planning 15-16
Process Improvement Tracking 17
Contact Information 18
Privileged & Confidential - GVP Partners2
3. Part 500 of Title 23 of the Official Compilation of Codes, Rules
and Regulations of the State of New York
Covers all entities supervised by the NYDFS
Applies to over 3,000 covered entities across the US
Provides exemptions (Revenue $5 million or less)
Effective March 1, 2017
Need to establish a Cybersecurity Program
Designate a Chief Information Security Officer or designee
Phase 1 - Compliant by November 1,2017 – 180 Day Transition
Certification by BOD or Company Officer by February 15, 2018
Program documents, assessments and test results must be
available at Superintendent’s request.
Privileged & Confidential - GVP Partners3
5. Section 500.11 Third Party Service Provider Security Policy
Section 500.12 Multi-Factor Authentication
Section 500.13 Limitations on Data Retention
Section 500.14 Training and Monitoring
Section 500.15 Encryption of Nonpublic Information
Section 500.16 Incident Response Plan
Section 500.17 Notices to Superintendent
Section 500.18 Confidentiality
Section 500.19 Exemptions
Section 500.20 Enforcement
Privileged & Confidential - GVP Partners5
6. Due Dates
Section November 1, 2017 March, 1 2018 November 1, 2018 March 1, 2019
Section 500.01 Definitions
Section 500.02 Cybersecurity Program
Section 500.03 Cybersecurity Policy
Section 500.04 ChiefInformation Security Officer
Section 500.04 (d) ChiefInformation Security Officer
Section 500.05 Penetration Testing & Vulnerability Assessments
Section 500.06 Audit Trail
Section 500.07 Access Privileges
Section 500.08 Application Security
Section 500.09 Risk Assessment
Section 500.10 Cybersecurity Personnel and Intelligence
Section 500.11 Third Party Service Provider Security Policy
Section 500.12 Multi-Factor Authentication
Section 500.13 Limitations on Data Retention
Section 500.14 (a) Training and Monitoring
Section 500.14 (b) Training and Monitoring
Section 500.15 Encryption ofNonpublic Information
Section 500.16 Incident Response Plan
Section 500.17 Notices to Superintendent
Section 500.18 Confidentiality
Section 500.19 Exemptions
Section 500.20 Enforcement
6 Privileged & Confidential - GVP Partners
7. Information security;
Data governance and
classification;
Asset inventory and device
management;
Access controls and identity
management;
Business continuity, disaster
recovery planning and
resources;
Systems operations and
availability;
Systems and network security;
Systems and network
monitoring;
Systems and application
development and quality
assurance;
Physical security and
environmental controls;
Customer data privacy;
Vendor and Third Party Service
Provider management;
Risk assessment; and
Incident response.
Privileged & Confidential - GVP Partners7
8. 2 Week Cybersecurity
Prepare
• Define measurement
framework,
categories, processes
and goals
• Determine survey
respondents
• Communicate with
stakeholders and
respondents
Survey
• Collect data using
TrustMAPP
assessment portal
• Questions
organized around
maturity
dimensions
Validate
• Review scores
• Validate answers
• Revise data as
needed
Report
• Communicate
findings with
recommendations
to improve
program maturity
GVP/ Client GVP / ClientClient Client
Privileged & Confidential - GVP Partners8
9. Provide a baseline Cybersecurity assessment and
strategy roadmap.
Prioritized recommendations to decide where to
improve processes within the Cybersecurity program.
Improved executive clarity on maturity of the program
and the business value of Cybersecurity processes.
Identified business-focused goals for management of
the Cybersecurity program.
Privileged & Confidential - GVP Partners9
10. Our Assessment Services are powered
by Trust MAPP automation
Easily create and launch assessments
Leverage rich analytics and
improvement planning tools
Built-in recommendations for
improving process performance
Track improvements and automatically
update status
Privileged & Confidential - GVP Partners10
Steps to take to complete a maturity assessment within 2 weeks
After the 2 week assessment these are the project deliverables
Built-in intelligence to guide your decisions
Mitigation recommendations based on company size and process maturity level (scale of 1-5; reported in red, yellow, green)
Automated project planning capabilities
Enable meaningful business discussions about resource allocation and CapEX requirements for improvement
Compare historical reports and conduct what-if analyses
Our approach to Cybersecurity Assessment is from a maturity perspective versus established frameworks. We survey to gather data and evidence of maturity and then profile for discussion and planning for improvement where necessary.
A profile is prepared showing areas of strength and areas that need improvement.
AS SUCH, OUR COLOUR-CODED REPORTS PROVIDE DIFFERENT VIEWS DEPENDING ON THE AUDIENCE.
FOR EXAMPLE, TrustMAPP’S MATURITY ASSESSMENT DASHBOARD.
ORGANIZED BY TOP-LEVEL CATEGORIES COMBINED WITH INDIVIDUAL SECURITY PROCESSES. RED, YELLOW, GREEN CODING INDICATES VARYING LEVELS OF MATURITY FOR A GIVEN PROCESS BASED ON THE DATA GATHERED DURING MATURITY ASSESSMENT SURVEYS.
We use any established framework or one customized for your purpose.
Our solutions provides management action plans to guide discussion on where improvements are needed and how to approach.
FOR EXAMPLE, TrustMAPP’S MATURITY ASSESSMENT DASHBOARD.
ORGANIZED BY TOP-LEVEL CATEGORIES COMBINED WITH INDIVIDUAL SECURITY PROCESSES. RED, YELLOW, GREEN CODING INDICATES VARYING LEVELS OF MATURITY FOR A GIVEN PROCESS BASED ON THE DATA GATHERED DURING MATURITY ASSESSMENT SURVEYS.
ONCE AN ORGANIZATION ASSESSES RESULTS, IT CAN BEGIN PLANNING FOR IMPROVEMENTS TO ORGANIZATIONAL MATURITY.
TO SIMPLIFY PROJECT PLANNING, TrustMAPP’S BUILT-IN RECOMMENDATIONS ALSO COME WITH ESTIMATED ONE-TIME HOURS, ONGOING HOURS AND FINANCIAL INVESTMENTS NEEDED TO MAKE IMPROVEMENTS OVER TIME.
ONCE AN ORGANIZATION ASSESSES RESULTS, IT CAN BEGIN PLANNING FOR IMPROVEMENTS TO ORGANIZATIONAL MATURITY.
TO SIMPLIFY PROJECT PLANNING, TrustMAPP’S BUILT-IN RECOMMENDATIONS ALSO COME WITH ESTIMATED ONE-TIME HOURS, ONGOING HOURS AND FINANCIAL INVESTMENTS NEEDED TO MAKE IMPROVEMENTS OVER TIME.