SlideShare a Scribd company logo

NYS DFS CyberSecurity Regulations

Download as PPTX, PDF
Jon Bosco
Jon Bosco

Presentation: The New NYDFS Cybersecurity Regulations: What They Require. What They Mean for Your Company and Your Vendor Supply Chain (To Be Updated Based

Technology
1 of 29
1/14/2017 1
 Speaker Introductions  NY DFS & Regulatory Environment Background  Covered and Exempt Entities  Top 5 Regulatory “Surprises”  Cybersecurity Required Elements  Security Best / Leading Practices Mapped to Requirements  Question and Answer 1/14/2017 2
EXPERIENCE SUMMARY  Jon co-founded eDelta Consulting, Inc. (“eDelta”) in 2000 with former Ernst and Young, LLP alumni in order to provide a wide-range of Technology and Information Security services to Fortune 500 clients and medium-sized public and private companies. For more than a decade, Jon has been evaluating information systems and associated business processes in major industries, including financial services, retail and entertainment.  Jon has assisted the internal audit department of several Fortune 500 companies in developing and executing plans to mitigate technology and business risks. Jon has strong project management, organizational and technical skills. Jon is a frequent speaker on issues as diverse as Sarbanes Oxley, information security, disaster recovery, business continuity planning, corporate risk assessment, and Computer Assisted Audit Techniques (CAATs). He has an expert knowledge of technology challenges and their related regulatory and compliance impact on major corporations.  Prior to eDelta, Jon was a Manager in Ernst & Young's New York ISAAS Financial Services Group. As a manager at Ernst & Young, Jon managed various external Technology and Financial Audits for a diverse set of companys, mutual funds, and broker/dealers. Jon is Certified Public Accountant Jon Bosco Partner eDelta Consulting, Inc. jbosco@edeltaconsulting.com Direct: +646-205-9961 Rich Santelesa Esq. CIPP-US rsantalesa@smartedgelawgroup.com rsantalesa@blegalgroup.com Direct: +203-307-2665 EXPERIENCE SUMMARY  Int'l Association of Privacy Professionals (IAPP) "Certified Information Privacy Professional"  IAPP Co-Chair of CT KnowledgeNet (1/1/2014 - 1/1/2016)  Guest Lecturer at Sacred Heart University, in Masters Degree in Cybersecurity Program  American Bar Association, Section of Science & Tech Law, Chair of Social Networking Committee; Member InfoSec and EDDE Committees  New York State Bar Association - Intellectual Property Law Section – Internet & Technology Law Committee  Greater Bridgeport Bar Association - Intellectual Property & Commercial Law Committees  Former Local elected official – elected to two year legislative term (unpaid) as Fairfield Representative Town Member (2009-2011) responsible for ordinances, oversight and approval of $251+ million budget; appointed to Legislative & Administration Committee; Former Fairfield Conservation Commissioners.  Certified mentor for small-businesses and startups via the CT branch of SCORE, a nationally recognized volunteer counseling organization affiliated with the SBA  Admitted in New York, District of Columbia and Connecticut (achieved 2nd highest scaled Multistate Bar Exam score of 390 examinees seated for Feb. 2008 Connecticut bar exam)
 Created in 2011 when the NYS Insurance Department and NYS Banking Department were consolidated.  Supervises approximately 4,500 entities.  Regulated entities include: state-chartered banks and trust companies; insurance companies; insurance producers; insurance adjusters; bail bond agents; service contracts; life settlements; budget planners; charitable foundations; check cashers; credit unions; investment companies; licensed lenders; money transmitters; mortgage bankers; mortgage brokers; mortgage loan servicers; premium finance agencies; private bankers; safe deposit companies; sales finance companies; savings banks; and savings and loans. (http://www.dfs.ny.gov/about/whowesupervise.htm)  Headed by the Superintendent of Financial Services. First, Ben Lawsky, now Maria Vullo. 1/14/2017 4
 In 2013 the NYDFS began surveying banking organizations and then insurance companies.  Issued reports in 2014 and 2015 on cybersecurity in the insurance and banking industries: ◦ Report on Cyber Security in the Banking Sector - May 2014 ◦ Report on Cyber Security in the Insurance Sector - February 2015 ◦ Update on Cyber Security in the Banking Sector: Third Party Service Providers - April 2015  Letter sent from NYDFS on Nov 9, 2015 by then Acting Superintendent to 18 members of the Financial and Banking Information Infrastructure Committee heralding intent to issue cybersecurity requirements 1/14/2017 5
 Proposed Regs, announced: September 13, 2016 ◦ “Cybersecurity Requirements For Financial Services Companies”(Part 500 of Title 23 of the Official Compilation of Codes, Rules, and Regulations of the State of New York)  Published in State Register: September 28, 2016  Public comment period ended on Nov. 14, 2016  Little to nothing on NYDFS website since…  NYDFS Reg Materials Released ◦ Proposed 23 NYCRR 500 (PDF) ◦ Notice of Proposed Rulemaking (PDF) ◦ Summary of the Rules (PDF) ◦ Regulatory Impact Statement - SAPA (PDF) ◦ Executive Order No. 17 (PDF) 1/14/2017 6
 “Covered Entities” - as defined by the Regs mean “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [NY] banking law, the [NY] insurance law or the [NY] financial services law.” ◦ NYDFS regulated institutions can be found at http://www.dfs.ny.gov/about/whowesupervise.htm  CE’s include individuals, partnerships, and corporations operating in the banking, insurance and other financial services industries within New York and regulated by the DFS. Includes state-chartered commercial banks and state- licensed branches and agencies of foreign banks.  Regs do not apply to local governments.  Limited exemption to Regs 1/14/2017IAPP KnowledgeNet 7
 Sec. 500.18(a) includes a limited exemption to the Regs for otherwise Covered Entities. If a CE has: ◦ Fewer than 1,000 customers in each of the last 3 years, AND ◦ Less than $5M in gross annual revenue in each of last 3 fiscal years, AND ◦ Less than $10M in year-end total assets per GAAP (including any affiliates for purposes of the total asset calculation)…  THEN, such entities are exempt from the Regs requirements involving maintenance of specific cybersecurity personnel, app development, multi- factor authentication, training, encryption, audits and audit trails, and conducting vulnerability tests.  Everything else still applies! 1/14/2017IAPP KnowledgeNet 8
 What about GLBA? Or other federal agency “guidance” and recommendations such FFIEC, SEC recommendations?  Are the NYDFS Regs pre-empted for federated regulated entities?  NO!  The Regs expressly note they “duplicate” “to a very limited extent” GLBA Sec. 421 requirements, but that state regs providing greater protections are expressly authorized under GLBA Sec. 6807(b). 1/14/2017IAPP KnowledgeNet 9
 Programs - A comprehensive Cybersecurity Program covering 8 cores functions  Policies - A written Cybersecurity Policy, Third Party Infosec Policy, and Incident Response Plan, each of which must address specific required items  Personnel - Training, monitoring, appointment of a “qualified individual” as CISO, and “sufficient” cybersecurity personnel (outside third parties can handle these functions)  Technology - Infosec technology and practices, including: ◦ MFA, encryption (at rest and in transit), data retention limits, 6 years of audit train records, mandated training for all employees and specific cybersecurity training, and testing/risk assessment (including quarterly vulnerability assessments + annual penetration testing).  Third Party Vendor Requirements – Annual assessment of vendors’ cybersecurity practices and mandated contractual terms “to the extent applicable”, including: use of MFA, encryption, “prompt” notice of “any” Cybersecurity Event, ID protection services for customers, rep that any service or product is free of viruses, etc., and right to perform “cybersecurity audits”.  Reporting & Certification that includes: ◦ CISO written report to board of directors at least 2x year (which DFS can request!); Reporting to NYDFS of certain “Cybersecurity Events” within 72 hours of discovery; Annual certification by BoD or “Senior Officer(s)” of compliance with Regs to NYDFS by Jan 15th of each year (with maintenance for 5 years of “records, schedules and data” supporting the certification). 1/14/2017 10
 Short 72 Hour Notifications to NYDFS and DFS can request all CISO reports  Expansive definition of “Nonpublic Information” that goes well beyond traditional PHI or PII definitions  Encryption everywhere of NPI – at rest and in transit  6 year retention of massive audit trail records, including ◦ Data sufficient to allow for “complete and accurate reconstruction of all financial transactions and accounting necessary… to detect and respond to a cybersecurity event” ◦ Detailed logging of all system event, sysadmin functions performed and all privileged access to critical systems  Third Party Vendor Requirements – Risk assessments, annual assessment of TPV cybersecurity practices, contractual requirements, including ID protection services and cybersecurity audit rights of vendors with NPI or systems 1/14/2017 11
Cybersecurity Program to ensure “confidentiality, integrity and availability” of Information Systems, which must address:  Minimum of 6 Core Functions – identify cyber risks, defensive infrastructure, Cybersecurity Event detection, response and mitigation, recovery and regulatory reporting  Annual penetration testing and quarterly vulnerability testing  Detailed audit trail logging and data retention  Appropriate access privilege settings and access limitations  Risk-based policies, procedures and controls to monitor unauthorized access  Encryption of all Nonpublic Information – at rest and in transit  Data retention limits and timely destruction of NPI no longer necessary  Regular cybersecurity awareness training for all employees  Secure application development – both internal & external  Written Incident Response Plan  Must be reviewed and approved by CISO annually 1/14/2017IAPP KnowledgeNet 12
 Cybersecurity Policy detailing policies and procedures for protection of NPI and Information Systems. ◦ Must at minimum address 14 areas, which are broad and open-ended (e.g., “capcicity and performance planning, customer data privcy, risk assessment, data governance and classification, etc.) ◦ May require existing Cybersecurity Policies to be reviewed and expanded given broad definition of NPI ◦ Must be updated “as frequently as necessary” but at least annually  Third Party Information Security Policy to ensure security of NPI and Information Systems “accessible to or held by” third party parties. ◦ Identifying these parties and performing risk assessments ◦ Specifying minimum cybersecurity practices such third parties must meet ◦ Detailing due diligence processes to determine third party cybersecurity adequacy ◦ Annual assessment of third parties cybersecurity practices  What is enough? ◦ Contractual requirements as we’ll see further. 1/14/2017 13
 Chief Information Security Officer – Must be designated, who must be “qualified” and responsible for oversight, implementation and enforcement of Cybersecurity Program and Policy. ◦ Can be met through third party service providers (“outsourced CISO”) ◦ of Short 72 Hour Notifications to NYDFS and DFS can request all CISO reports  New IT security personnel requirements ◦ Must “employ cybersecurity personnel sufficient to manage” cybersecurity risks and perform core cybersecurity functions ◦ Regular “cybersecurity update and training sessions” for all cybersecurity personnel (and annual cybersecurity training for everyone else) ◦ Require “key” cybersecurity personnel to “stay abreast of” cybersecurity threats and countermeasures ◦ Covered Entities can use “qualified third party” to assist these personnel requirements 1/14/2017 14
 Separate written Third Party Information Security Policy  Periodic (at least annually) assessment of third party cybersecurity practices. Is a questionnaire sufficient?  Written minimum cybersecurity practices third parties must meet “in order for them to do business” with Covered Entity. Typically contract Exhibit add-on  And contractual provisions for third party contracts requiring the vendor “to the extent applicable” to agree to: ◦ Multi-Factor Authentication ◦ Encryption in transit and at rest ◦ Prompt notice for any Cybersecurity Event (even one not containing Covered Entity NPI) affecting the third party vendor ◦ Offer identity protection services (for unspecified length of time) to any Covered Entity customers “materially impacted” by Cybersecurity Event due to third party’s “negligence or willful misconduct” ◦ Reps and Warranties of no viruses, trap doors, time bombs “and other mechanisms that would impact the security” of CE’s Information Systems or NPI ◦ AND THE BIG ONE – “right of Covered Entity or its agents to perform cybersecurity audits” of the third party 1/14/2017 15
 Biannual CISO report to board, which DFS can request: ◦ Must assess security status, detail exceptions to cybersecurity policies/procedures, identify cyber risk to CE, assess “effectiveness” of cybersecurity program, list remediation steps for any identified items, and summarize “all material Cybersecurity Events” that affected CE during time period of report.  Annual Certification to DFS by Jan 15 of each year using form specified by Regs ◦ Certification that Board or Senior Office have reviewed “documents, reports, certifications and opinions” as necessary, that “to best of knowledge” CE complies with Regs, and documents any areas requiring “material improvement, updating or resign” and any “remedial efforts planned and underway” as to such areas.  Must notify DFS Superintendent within 72 hours of discovery of (1) all Cybersecurity Events with “reasonable likelihood of materially affecting the normal operation of the CE or that affects NPI” and (2) of any identified “material risk of imminent harm” relating to CE’s cybersecurity program. 1/14/2017 16
 Risk Assessment (Section 500.09)  Multi-Factor Authentication vs. Risk-Based Authentication (Section 500.12)  Access Privileges (Section 500.07)  Penetration Testing vs Vulnerability Assessments (Section 500.05 )  Application Security (Section 500.08)  Third-Party Information Security (Section 500.11)  Audit Trail & Data Retention (Section 500.06)  Training & Monitoring (Section 500.14)  Encryption (Section 500.15)  Incident (Breach) Response (Section 500.16) 1
Best Practices  Industry Best Practice Frameworks: o FFIEC Cybersecurity Assessment Tool (https://www.ffiec.gov/cyberassessmenttool.htm) o National Institute of Standards and Technology (NIST) CyberSecurity Self-Assessment Tool (https://www.nist.gov/sites/default/files/documents/2016/0 9/15/baldrige-cybersecurity-excellence-builder-draft- 09.2016.pdf) o US Cert Cyber-Resilience Review (https://www.us-cert.gov/ccubedvp/assessments) “Annually”, “conduct a risk assessment”, “in accordance with written policies and procedures”, that are “documented” and that “includes” a “criteria for the evaluation and a categorization of identified risks” considering “confidentiality, integrity, and available” of “systems” and the related “adequacy of existing controls”
Best Practices “Key” features and/or controls that need to be embedded within “Identity Management” solutions and/or the internal control environment:  Account Request Management - Ability to request, establish, modify, and/or terminate access.  Role-Based Access- Ability to manage groups, roles, permissions, and/or resources based on function/responsibility;  User Provisioning - Ability to periodically retrieve and recertify access based on organizational hierarchies and ownership. “Limit access”, “to nonpublic information”, “to those individuals that require such access”, “to perform their responsibilities” and “periodically review such access”
Best Practices  Multi-Factor Authentication o Knowledge Factors o Possession Factors o Inherence Factors  Risk-Based Authentication requiring additional verification o Device Security o Concurrent Login o Stale Account Login o Failed Login Attempts Exceed Thresholds o Behavioral Profiling “Multi-Factor Authentication” requires “two of the following types of factors: 1) “Knowledge factors, such as a password”, 2) “Possession factors, such as a token or text message on a mobile phone” and/or 3,) Inherence factors, such as a biometric characteristic”. “Risk-Based Authentication is “authentication that detects anomalies or changes in the normal use patterns of a person” and “requires additional verification of the persons identity”.
 “Multi-Factor Authentication” required “for any individual accessing the Covered Entity’s internal systems or data from an external network”.  “Multi-Factor Authentication” required for “privileged access” to database servers that allow access to Nonpublic Information.  “Risk-Based Authentication” required “in order to access web applications that capture, display or interface with Nonpublic Information”.  “Multi-Factor Authentication” required “for any individual accessing web applications that capture, display or interface with Nonpublic Information”.
“Vulnerability assessment of”, “Information Systems at least quarterly”. “Penetration testing” of “Information Systems at least annually”. Differences Vulnerability Scan Penetration Test Purpose Identify, rank, and report vulnerabilities that, if exploited, may result in an intentional or unintentional compromise of a system. Identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components. When At least quarterly or after significant changes. At least annually and upon significant changes. How Typically a variety of automated tools combined with manual verification of identified issues. A manual process that may include the use of vulnerability scanning or other automated tools Reports Potential risks posed by known vulnerabilities, ranked in accordance with NVD/CVSS base scores associated with each vulnerability. Description of each vulnerability verified and/or potential issue discovered. More specific risks that vulnerability may pose, including specific methods how and to what extent it may be exploited. Examples of vulnerabilities include but are not limited to SQL injection, privilege escalation, cross- site scripting, or deprecated protocols. Duration Relatively short amount of time, typically several seconds to several minutes per scanned host. Engagements may last days or weeks depending on the scope of the test and size of the environment to be tested. Tests may grow in time and complexity if efforts uncover additional scope.
 Industry Best Practice Frameworks: o Open Web Application Security Project (OWASP) o Web Application Security Consortium (WASC) o Others: The Federal Financial Institutions Examination Council (FFIEC), and the National Institute of Standards and Technology (NIST).  Industry Principles: o Configuration Management o Secure Transmission o Authentication & Authorization o Session Management o Data Validation, o Output Encoding and Escaping o Cryptography o Error Handling o Risk Functionality “Written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications” and “assessing and testing the security of all externally developed applications”.
 Privileged Account Best Practices o Create and enforce policies that forbid the use of single, “all powerful”accounts. o Privileged Account Password Tools (one time password generation/expiration) o Leveraging privilege account monitoring & logging tools (e.g., Sudo, User Session Monitoring & Recording Solutions, Virtual/Physcial Jump Stations)  Audit Logging Best Practices o Log events should be defined so human can read and understand o Events need to be timestamped o Unique Identifiers should be defined for each auditable activity (IDs) o Log in a text format (not binary) o Identify the source of the event o Limit the ability to access logs and restrict the ability to modify logs (WORMs drives, . “Cybersecurity program” that includes the ability to “track and maintain data” for the complete and accurate reconstruction of all transactions and accounting”, the “logging of all privileged user access to critical systems”, that “protects the integrity” of any “audit trail” or “hardware”, “from alteration or tampering” that is maintained “for not fewer than six years”.
 Best Practices o In-Transit vs At Rest o Symmetric vs Asymmetric o Advanced Encryption Standard (AES) o Questions Impacting Encyrption Decisions “Encrypt all nonpublic information” “in transit” within “one year from the date this regulation become effective” or “five years” for nonpublic information “at rest” with adequate “compensating” control between the regulation effective date and transition period.
 Policy o Team o Response Plan/Strategy o Communication o Documentation o Training o Testing  Identification  Containment  Eradication  Lessons Learned “Establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event”
Richard Santalesa, Esq, CIPP-US Sm@rtEdgeLaw Group & Bortstein Legal Group Phone: (203) 307-2665 rsantalesa@smartedgelawgroup.co m rsantalesa@blegalgroup.com www.SmartEdgeLawGroup.com www.blegalgroup.com www.linkedin.com/in/rsantalesa 1/14/2017 29 Jon Bosco Partner eDelta Consulting Phone: (646)-205-9960 jBosco@edeltaconsulting.com LinkedIn: https://www.linkedin.com/in/jon- bosco-

Recommended

How to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity RequirementsHow to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity Requirements
Kyle Brown
 
New York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulationsNew York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulations
Brunswick Group
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
Shawn Tuma
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Group
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber SurveyKristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Government Technology and Services Coalition
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
Skoda Minotti
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
IT Governance Ltd
 

Recommended

How to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity RequirementsHow to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity Requirements
Kyle Brown
 
New York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulationsNew York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulations
Brunswick Group
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
Shawn Tuma
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Group
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber SurveyKristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Government Technology and Services Coalition
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
Skoda Minotti
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
IT Governance Ltd
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
Government Technology and Services Coalition
 
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
Shawn Tuma
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)
Kroll
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
IT Governance Ltd
 
IASA ey deck presentation
IASA ey deck presentationIASA ey deck presentation
IASA ey deck presentation
Kenneth Dorado, CISA, HCISPP
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesSEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
Kroll
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
Joseph Wynn
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
PECB
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity
Dawn Yankeelov
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
TrustArc
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
lgcdcpas
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-
IT Strategy Group
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
William McBorrough
 
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
Government Technology and Services Coalition
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
lgcdcpas
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
Jessica Santamaria
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forward
Nils Thulin
 
Treliant_IndustryAdvisory NY DFS Final Regulation_September2016
Treliant_IndustryAdvisory NY DFS Final Regulation_September2016Treliant_IndustryAdvisory NY DFS Final Regulation_September2016
Treliant_IndustryAdvisory NY DFS Final Regulation_September2016Steven Reback
 
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
Shawn Tuma
 

More Related Content

What's hot

Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
Government Technology and Services Coalition
 
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
Shawn Tuma
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)
Kroll
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
IT Governance Ltd
 
IASA ey deck presentation
IASA ey deck presentationIASA ey deck presentation
IASA ey deck presentation
Kenneth Dorado, CISA, HCISPP
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesSEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
Kroll
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age padler01
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
Joseph Wynn
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
PECB
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity
Dawn Yankeelov
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
TrustArc
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
lgcdcpas
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-
IT Strategy Group
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
William McBorrough
 
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
Government Technology and Services Coalition
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
lgcdcpas
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
Jessica Santamaria
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forward
Nils Thulin
 

What's hot (20)

Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
 
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
 
IASA ey deck presentation
IASA ey deck presentationIASA ey deck presentation
IASA ey deck presentation
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesSEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forward
 

Viewers also liked

Treliant_IndustryAdvisory NY DFS Final Regulation_September2016
Treliant_IndustryAdvisory NY DFS Final Regulation_September2016Treliant_IndustryAdvisory NY DFS Final Regulation_September2016
Treliant_IndustryAdvisory NY DFS Final Regulation_September2016Steven Reback
 
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
Shawn Tuma
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk Management
Keelan Stewart
 
Operational risk management
Operational risk managementOperational risk management
Operational risk managementUjjwal 'Shanu'
 
Quality management ethics
Quality management ethicsQuality management ethics
Quality management ethicskrisshawk
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
Sarah Cirelli
 
Ethics Management Presentation
Ethics Management PresentationEthics Management Presentation
Ethics Management Presentation
quazzimomma
 
Ethics in management
Ethics in managementEthics in management
Ethics in management
Megha_pareek
 
Managerial ethics slide by Junesh Acharya
Managerial ethics slide by Junesh AcharyaManagerial ethics slide by Junesh Acharya
Managerial ethics slide by Junesh Acharya
Junesh Acharya
 
Operation Risk Management in Banking Sector
Operation Risk Management in Banking SectorOperation Risk Management in Banking Sector
Operation Risk Management in Banking SectorSanjay Kumbhar
 
Operational Risk Management
Operational Risk ManagementOperational Risk Management
Operational Risk Managementarsqureshi
 
Business ethics
Business ethicsBusiness ethics
Business ethics
Yasir Sheikh
 
MITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONS
MITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONSMITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONS
MITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONS
Michel Rochette
 

Viewers also liked (13)

Treliant_IndustryAdvisory NY DFS Final Regulation_September2016
Treliant_IndustryAdvisory NY DFS Final Regulation_September2016Treliant_IndustryAdvisory NY DFS Final Regulation_September2016
Treliant_IndustryAdvisory NY DFS Final Regulation_September2016
 
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk Management
 
Operational risk management
Operational risk managementOperational risk management
Operational risk management
 
Quality management ethics
Quality management ethicsQuality management ethics
Quality management ethics
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
 
Ethics Management Presentation
Ethics Management PresentationEthics Management Presentation
Ethics Management Presentation
 
Ethics in management
Ethics in managementEthics in management
Ethics in management
 
Managerial ethics slide by Junesh Acharya
Managerial ethics slide by Junesh AcharyaManagerial ethics slide by Junesh Acharya
Managerial ethics slide by Junesh Acharya
 
Operation Risk Management in Banking Sector
Operation Risk Management in Banking SectorOperation Risk Management in Banking Sector
Operation Risk Management in Banking Sector
 
Operational Risk Management
Operational Risk ManagementOperational Risk Management
Operational Risk Management
 
Business ethics
Business ethicsBusiness ethics
Business ethics
 
MITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONS
MITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONSMITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONS
MITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONS
 

Similar to NYS DFS CyberSecurity Regulations

CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ, Inc.
 
Trends 121415 Citizens Bank
Trends 121415 Citizens BankTrends 121415 Citizens Bank
Trends 121415 Citizens BankMichael Ouellet
 
What Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure SectorWhat Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure Sector
CBIZ, Inc.
 
New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...
NationalUnderwriter
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Financial Poise
 
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021A Look At Evolving Cybersecurity Policy for Financial Institutions 2021
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021
Dawn Yankeelov
 
IS4799 Final Project (1)
IS4799 Final Project (1)IS4799 Final Project (1)
IS4799 Final Project (1)Mark Milburn
 
Viscount Systems (OTCQB:VSYS) Presentation
Viscount Systems (OTCQB:VSYS) PresentationViscount Systems (OTCQB:VSYS) Presentation
Viscount Systems (OTCQB:VSYS) Presentation
Investorideas.com
 
Relevancy of information memorandums and data rooms
Relevancy of information memorandums and data roomsRelevancy of information memorandums and data rooms
Relevancy of information memorandums and data rooms
RiyaManuja1
 
Aggregation Platforms-White Paper
Aggregation Platforms-White PaperAggregation Platforms-White Paper
Aggregation Platforms-White Paper
Envestnet Yodlee India
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Chris Hails
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
Ken M. Shaurette
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Mulin Holstein PKI-strategy
Mulin Holstein PKI-strategyMulin Holstein PKI-strategy
Mulin Holstein PKI-strategyfEngel
 
Data protection for Lend.io - legal analysis by Bird and Bird
Data protection for Lend.io - legal analysis by Bird and BirdData protection for Lend.io - legal analysis by Bird and Bird
Data protection for Lend.io - legal analysis by Bird and Bird
Coadec
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf
SoniaCristina49
 

Similar to NYS DFS CyberSecurity Regulations (20)

CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018
 
Trends 121415 Citizens Bank
Trends 121415 Citizens BankTrends 121415 Citizens Bank
Trends 121415 Citizens Bank
 
201 CMR 17.00
201 CMR 17.00201 CMR 17.00
201 CMR 17.00
 
What Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure SectorWhat Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure Sector
 
New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
 
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021A Look At Evolving Cybersecurity Policy for Financial Institutions 2021
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021
 
IS4799 Final Project (1)
IS4799 Final Project (1)IS4799 Final Project (1)
IS4799 Final Project (1)
 
Viscount Systems (OTCQB:VSYS) Presentation
Viscount Systems (OTCQB:VSYS) PresentationViscount Systems (OTCQB:VSYS) Presentation
Viscount Systems (OTCQB:VSYS) Presentation
 
Relevancy of information memorandums and data rooms
Relevancy of information memorandums and data roomsRelevancy of information memorandums and data rooms
Relevancy of information memorandums and data rooms
 
Aggregation Platforms-White Paper
Aggregation Platforms-White PaperAggregation Platforms-White Paper
Aggregation Platforms-White Paper
 
Final Project
Final ProjectFinal Project
Final Project
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
Mulin Holstein PKI-strategy
Mulin Holstein PKI-strategyMulin Holstein PKI-strategy
Mulin Holstein PKI-strategy
 
Data protection for Lend.io - legal analysis by Bird and Bird
Data protection for Lend.io - legal analysis by Bird and BirdData protection for Lend.io - legal analysis by Bird and Bird
Data protection for Lend.io - legal analysis by Bird and Bird
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf
 
Dss investor presentation
Dss investor presentationDss investor presentation
Dss investor presentation
 

Recently uploaded

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 

Recently uploaded (20)

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 

NYS DFS CyberSecurity Regulations

  • 2.  Speaker Introductions  NY DFS & Regulatory Environment Background  Covered and Exempt Entities  Top 5 Regulatory “Surprises”  Cybersecurity Required Elements  Security Best / Leading Practices Mapped to Requirements  Question and Answer 1/14/2017 2
  • 3. EXPERIENCE SUMMARY  Jon co-founded eDelta Consulting, Inc. (“eDelta”) in 2000 with former Ernst and Young, LLP alumni in order to provide a wide-range of Technology and Information Security services to Fortune 500 clients and medium-sized public and private companies. For more than a decade, Jon has been evaluating information systems and associated business processes in major industries, including financial services, retail and entertainment.  Jon has assisted the internal audit department of several Fortune 500 companies in developing and executing plans to mitigate technology and business risks. Jon has strong project management, organizational and technical skills. Jon is a frequent speaker on issues as diverse as Sarbanes Oxley, information security, disaster recovery, business continuity planning, corporate risk assessment, and Computer Assisted Audit Techniques (CAATs). He has an expert knowledge of technology challenges and their related regulatory and compliance impact on major corporations.  Prior to eDelta, Jon was a Manager in Ernst & Young's New York ISAAS Financial Services Group. As a manager at Ernst & Young, Jon managed various external Technology and Financial Audits for a diverse set of companys, mutual funds, and broker/dealers. Jon is Certified Public Accountant Jon Bosco Partner eDelta Consulting, Inc. jbosco@edeltaconsulting.com Direct: +646-205-9961 Rich Santelesa Esq. CIPP-US rsantalesa@smartedgelawgroup.com rsantalesa@blegalgroup.com Direct: +203-307-2665 EXPERIENCE SUMMARY  Int'l Association of Privacy Professionals (IAPP) "Certified Information Privacy Professional"  IAPP Co-Chair of CT KnowledgeNet (1/1/2014 - 1/1/2016)  Guest Lecturer at Sacred Heart University, in Masters Degree in Cybersecurity Program  American Bar Association, Section of Science & Tech Law, Chair of Social Networking Committee; Member InfoSec and EDDE Committees  New York State Bar Association - Intellectual Property Law Section – Internet & Technology Law Committee  Greater Bridgeport Bar Association - Intellectual Property & Commercial Law Committees  Former Local elected official – elected to two year legislative term (unpaid) as Fairfield Representative Town Member (2009-2011) responsible for ordinances, oversight and approval of $251+ million budget; appointed to Legislative & Administration Committee; Former Fairfield Conservation Commissioners.  Certified mentor for small-businesses and startups via the CT branch of SCORE, a nationally recognized volunteer counseling organization affiliated with the SBA  Admitted in New York, District of Columbia and Connecticut (achieved 2nd highest scaled Multistate Bar Exam score of 390 examinees seated for Feb. 2008 Connecticut bar exam)
  • 4.  Created in 2011 when the NYS Insurance Department and NYS Banking Department were consolidated.  Supervises approximately 4,500 entities.  Regulated entities include: state-chartered banks and trust companies; insurance companies; insurance producers; insurance adjusters; bail bond agents; service contracts; life settlements; budget planners; charitable foundations; check cashers; credit unions; investment companies; licensed lenders; money transmitters; mortgage bankers; mortgage brokers; mortgage loan servicers; premium finance agencies; private bankers; safe deposit companies; sales finance companies; savings banks; and savings and loans. (http://www.dfs.ny.gov/about/whowesupervise.htm)  Headed by the Superintendent of Financial Services. First, Ben Lawsky, now Maria Vullo. 1/14/2017 4
  • 5.  In 2013 the NYDFS began surveying banking organizations and then insurance companies.  Issued reports in 2014 and 2015 on cybersecurity in the insurance and banking industries: ◦ Report on Cyber Security in the Banking Sector - May 2014 ◦ Report on Cyber Security in the Insurance Sector - February 2015 ◦ Update on Cyber Security in the Banking Sector: Third Party Service Providers - April 2015  Letter sent from NYDFS on Nov 9, 2015 by then Acting Superintendent to 18 members of the Financial and Banking Information Infrastructure Committee heralding intent to issue cybersecurity requirements 1/14/2017 5
  • 6.  Proposed Regs, announced: September 13, 2016 ◦ “Cybersecurity Requirements For Financial Services Companies”(Part 500 of Title 23 of the Official Compilation of Codes, Rules, and Regulations of the State of New York)  Published in State Register: September 28, 2016  Public comment period ended on Nov. 14, 2016  Little to nothing on NYDFS website since…  NYDFS Reg Materials Released ◦ Proposed 23 NYCRR 500 (PDF) ◦ Notice of Proposed Rulemaking (PDF) ◦ Summary of the Rules (PDF) ◦ Regulatory Impact Statement - SAPA (PDF) ◦ Executive Order No. 17 (PDF) 1/14/2017 6
  • 7.  “Covered Entities” - as defined by the Regs mean “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [NY] banking law, the [NY] insurance law or the [NY] financial services law.” ◦ NYDFS regulated institutions can be found at http://www.dfs.ny.gov/about/whowesupervise.htm  CE’s include individuals, partnerships, and corporations operating in the banking, insurance and other financial services industries within New York and regulated by the DFS. Includes state-chartered commercial banks and state- licensed branches and agencies of foreign banks.  Regs do not apply to local governments.  Limited exemption to Regs 1/14/2017IAPP KnowledgeNet 7
  • 8.  Sec. 500.18(a) includes a limited exemption to the Regs for otherwise Covered Entities. If a CE has: ◦ Fewer than 1,000 customers in each of the last 3 years, AND ◦ Less than $5M in gross annual revenue in each of last 3 fiscal years, AND ◦ Less than $10M in year-end total assets per GAAP (including any affiliates for purposes of the total asset calculation)…  THEN, such entities are exempt from the Regs requirements involving maintenance of specific cybersecurity personnel, app development, multi- factor authentication, training, encryption, audits and audit trails, and conducting vulnerability tests.  Everything else still applies! 1/14/2017IAPP KnowledgeNet 8
  • 9.  What about GLBA? Or other federal agency “guidance” and recommendations such FFIEC, SEC recommendations?  Are the NYDFS Regs pre-empted for federated regulated entities?  NO!  The Regs expressly note they “duplicate” “to a very limited extent” GLBA Sec. 421 requirements, but that state regs providing greater protections are expressly authorized under GLBA Sec. 6807(b). 1/14/2017IAPP KnowledgeNet 9
  • 10.  Programs - A comprehensive Cybersecurity Program covering 8 cores functions  Policies - A written Cybersecurity Policy, Third Party Infosec Policy, and Incident Response Plan, each of which must address specific required items  Personnel - Training, monitoring, appointment of a “qualified individual” as CISO, and “sufficient” cybersecurity personnel (outside third parties can handle these functions)  Technology - Infosec technology and practices, including: ◦ MFA, encryption (at rest and in transit), data retention limits, 6 years of audit train records, mandated training for all employees and specific cybersecurity training, and testing/risk assessment (including quarterly vulnerability assessments + annual penetration testing).  Third Party Vendor Requirements – Annual assessment of vendors’ cybersecurity practices and mandated contractual terms “to the extent applicable”, including: use of MFA, encryption, “prompt” notice of “any” Cybersecurity Event, ID protection services for customers, rep that any service or product is free of viruses, etc., and right to perform “cybersecurity audits”.  Reporting & Certification that includes: ◦ CISO written report to board of directors at least 2x year (which DFS can request!); Reporting to NYDFS of certain “Cybersecurity Events” within 72 hours of discovery; Annual certification by BoD or “Senior Officer(s)” of compliance with Regs to NYDFS by Jan 15th of each year (with maintenance for 5 years of “records, schedules and data” supporting the certification). 1/14/2017 10
  • 11.  Short 72 Hour Notifications to NYDFS and DFS can request all CISO reports  Expansive definition of “Nonpublic Information” that goes well beyond traditional PHI or PII definitions  Encryption everywhere of NPI – at rest and in transit  6 year retention of massive audit trail records, including ◦ Data sufficient to allow for “complete and accurate reconstruction of all financial transactions and accounting necessary… to detect and respond to a cybersecurity event” ◦ Detailed logging of all system event, sysadmin functions performed and all privileged access to critical systems  Third Party Vendor Requirements – Risk assessments, annual assessment of TPV cybersecurity practices, contractual requirements, including ID protection services and cybersecurity audit rights of vendors with NPI or systems 1/14/2017 11
  • 12. Cybersecurity Program to ensure “confidentiality, integrity and availability” of Information Systems, which must address:  Minimum of 6 Core Functions – identify cyber risks, defensive infrastructure, Cybersecurity Event detection, response and mitigation, recovery and regulatory reporting  Annual penetration testing and quarterly vulnerability testing  Detailed audit trail logging and data retention  Appropriate access privilege settings and access limitations  Risk-based policies, procedures and controls to monitor unauthorized access  Encryption of all Nonpublic Information – at rest and in transit  Data retention limits and timely destruction of NPI no longer necessary  Regular cybersecurity awareness training for all employees  Secure application development – both internal & external  Written Incident Response Plan  Must be reviewed and approved by CISO annually 1/14/2017IAPP KnowledgeNet 12
  • 13.  Cybersecurity Policy detailing policies and procedures for protection of NPI and Information Systems. ◦ Must at minimum address 14 areas, which are broad and open-ended (e.g., “capcicity and performance planning, customer data privcy, risk assessment, data governance and classification, etc.) ◦ May require existing Cybersecurity Policies to be reviewed and expanded given broad definition of NPI ◦ Must be updated “as frequently as necessary” but at least annually  Third Party Information Security Policy to ensure security of NPI and Information Systems “accessible to or held by” third party parties. ◦ Identifying these parties and performing risk assessments ◦ Specifying minimum cybersecurity practices such third parties must meet ◦ Detailing due diligence processes to determine third party cybersecurity adequacy ◦ Annual assessment of third parties cybersecurity practices  What is enough? ◦ Contractual requirements as we’ll see further. 1/14/2017 13
  • 14.  Chief Information Security Officer – Must be designated, who must be “qualified” and responsible for oversight, implementation and enforcement of Cybersecurity Program and Policy. ◦ Can be met through third party service providers (“outsourced CISO”) ◦ of Short 72 Hour Notifications to NYDFS and DFS can request all CISO reports  New IT security personnel requirements ◦ Must “employ cybersecurity personnel sufficient to manage” cybersecurity risks and perform core cybersecurity functions ◦ Regular “cybersecurity update and training sessions” for all cybersecurity personnel (and annual cybersecurity training for everyone else) ◦ Require “key” cybersecurity personnel to “stay abreast of” cybersecurity threats and countermeasures ◦ Covered Entities can use “qualified third party” to assist these personnel requirements 1/14/2017 14
  • 15.  Separate written Third Party Information Security Policy  Periodic (at least annually) assessment of third party cybersecurity practices. Is a questionnaire sufficient?  Written minimum cybersecurity practices third parties must meet “in order for them to do business” with Covered Entity. Typically contract Exhibit add-on  And contractual provisions for third party contracts requiring the vendor “to the extent applicable” to agree to: ◦ Multi-Factor Authentication ◦ Encryption in transit and at rest ◦ Prompt notice for any Cybersecurity Event (even one not containing Covered Entity NPI) affecting the third party vendor ◦ Offer identity protection services (for unspecified length of time) to any Covered Entity customers “materially impacted” by Cybersecurity Event due to third party’s “negligence or willful misconduct” ◦ Reps and Warranties of no viruses, trap doors, time bombs “and other mechanisms that would impact the security” of CE’s Information Systems or NPI ◦ AND THE BIG ONE – “right of Covered Entity or its agents to perform cybersecurity audits” of the third party 1/14/2017 15
  • 16.  Biannual CISO report to board, which DFS can request: ◦ Must assess security status, detail exceptions to cybersecurity policies/procedures, identify cyber risk to CE, assess “effectiveness” of cybersecurity program, list remediation steps for any identified items, and summarize “all material Cybersecurity Events” that affected CE during time period of report.  Annual Certification to DFS by Jan 15 of each year using form specified by Regs ◦ Certification that Board or Senior Office have reviewed “documents, reports, certifications and opinions” as necessary, that “to best of knowledge” CE complies with Regs, and documents any areas requiring “material improvement, updating or resign” and any “remedial efforts planned and underway” as to such areas.  Must notify DFS Superintendent within 72 hours of discovery of (1) all Cybersecurity Events with “reasonable likelihood of materially affecting the normal operation of the CE or that affects NPI” and (2) of any identified “material risk of imminent harm” relating to CE’s cybersecurity program. 1/14/2017 16
  • 17.
  • 18.  Risk Assessment (Section 500.09)  Multi-Factor Authentication vs. Risk-Based Authentication (Section 500.12)  Access Privileges (Section 500.07)  Penetration Testing vs Vulnerability Assessments (Section 500.05 )  Application Security (Section 500.08)  Third-Party Information Security (Section 500.11)  Audit Trail & Data Retention (Section 500.06)  Training & Monitoring (Section 500.14)  Encryption (Section 500.15)  Incident (Breach) Response (Section 500.16) 1
  • 19. Best Practices  Industry Best Practice Frameworks: o FFIEC Cybersecurity Assessment Tool (https://www.ffiec.gov/cyberassessmenttool.htm) o National Institute of Standards and Technology (NIST) CyberSecurity Self-Assessment Tool (https://www.nist.gov/sites/default/files/documents/2016/0 9/15/baldrige-cybersecurity-excellence-builder-draft- 09.2016.pdf) o US Cert Cyber-Resilience Review (https://www.us-cert.gov/ccubedvp/assessments) “Annually”, “conduct a risk assessment”, “in accordance with written policies and procedures”, that are “documented” and that “includes” a “criteria for the evaluation and a categorization of identified risks” considering “confidentiality, integrity, and available” of “systems” and the related “adequacy of existing controls”
  • 20. Best Practices “Key” features and/or controls that need to be embedded within “Identity Management” solutions and/or the internal control environment:  Account Request Management - Ability to request, establish, modify, and/or terminate access.  Role-Based Access- Ability to manage groups, roles, permissions, and/or resources based on function/responsibility;  User Provisioning - Ability to periodically retrieve and recertify access based on organizational hierarchies and ownership. “Limit access”, “to nonpublic information”, “to those individuals that require such access”, “to perform their responsibilities” and “periodically review such access”
  • 21. Best Practices  Multi-Factor Authentication o Knowledge Factors o Possession Factors o Inherence Factors  Risk-Based Authentication requiring additional verification o Device Security o Concurrent Login o Stale Account Login o Failed Login Attempts Exceed Thresholds o Behavioral Profiling “Multi-Factor Authentication” requires “two of the following types of factors: 1) “Knowledge factors, such as a password”, 2) “Possession factors, such as a token or text message on a mobile phone” and/or 3,) Inherence factors, such as a biometric characteristic”. “Risk-Based Authentication is “authentication that detects anomalies or changes in the normal use patterns of a person” and “requires additional verification of the persons identity”.
  • 22.  “Multi-Factor Authentication” required “for any individual accessing the Covered Entity’s internal systems or data from an external network”.  “Multi-Factor Authentication” required for “privileged access” to database servers that allow access to Nonpublic Information.  “Risk-Based Authentication” required “in order to access web applications that capture, display or interface with Nonpublic Information”.  “Multi-Factor Authentication” required “for any individual accessing web applications that capture, display or interface with Nonpublic Information”.
  • 23. “Vulnerability assessment of”, “Information Systems at least quarterly”. “Penetration testing” of “Information Systems at least annually”. Differences Vulnerability Scan Penetration Test Purpose Identify, rank, and report vulnerabilities that, if exploited, may result in an intentional or unintentional compromise of a system. Identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components. When At least quarterly or after significant changes. At least annually and upon significant changes. How Typically a variety of automated tools combined with manual verification of identified issues. A manual process that may include the use of vulnerability scanning or other automated tools Reports Potential risks posed by known vulnerabilities, ranked in accordance with NVD/CVSS base scores associated with each vulnerability. Description of each vulnerability verified and/or potential issue discovered. More specific risks that vulnerability may pose, including specific methods how and to what extent it may be exploited. Examples of vulnerabilities include but are not limited to SQL injection, privilege escalation, cross- site scripting, or deprecated protocols. Duration Relatively short amount of time, typically several seconds to several minutes per scanned host. Engagements may last days or weeks depending on the scope of the test and size of the environment to be tested. Tests may grow in time and complexity if efforts uncover additional scope.
  • 24.  Industry Best Practice Frameworks: o Open Web Application Security Project (OWASP) o Web Application Security Consortium (WASC) o Others: The Federal Financial Institutions Examination Council (FFIEC), and the National Institute of Standards and Technology (NIST).  Industry Principles: o Configuration Management o Secure Transmission o Authentication & Authorization o Session Management o Data Validation, o Output Encoding and Escaping o Cryptography o Error Handling o Risk Functionality “Written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications” and “assessing and testing the security of all externally developed applications”.
  • 25.  Privileged Account Best Practices o Create and enforce policies that forbid the use of single, “all powerful”accounts. o Privileged Account Password Tools (one time password generation/expiration) o Leveraging privilege account monitoring & logging tools (e.g., Sudo, User Session Monitoring & Recording Solutions, Virtual/Physcial Jump Stations)  Audit Logging Best Practices o Log events should be defined so human can read and understand o Events need to be timestamped o Unique Identifiers should be defined for each auditable activity (IDs) o Log in a text format (not binary) o Identify the source of the event o Limit the ability to access logs and restrict the ability to modify logs (WORMs drives, . “Cybersecurity program” that includes the ability to “track and maintain data” for the complete and accurate reconstruction of all transactions and accounting”, the “logging of all privileged user access to critical systems”, that “protects the integrity” of any “audit trail” or “hardware”, “from alteration or tampering” that is maintained “for not fewer than six years”.
  • 26.  Best Practices o In-Transit vs At Rest o Symmetric vs Asymmetric o Advanced Encryption Standard (AES) o Questions Impacting Encyrption Decisions “Encrypt all nonpublic information” “in transit” within “one year from the date this regulation become effective” or “five years” for nonpublic information “at rest” with adequate “compensating” control between the regulation effective date and transition period.
  • 27.  Policy o Team o Response Plan/Strategy o Communication o Documentation o Training o Testing  Identification  Containment  Eradication  Lessons Learned “Establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event”
  • 28.
  • 29. Richard Santalesa, Esq, CIPP-US Sm@rtEdgeLaw Group & Bortstein Legal Group Phone: (203) 307-2665 rsantalesa@smartedgelawgroup.co m rsantalesa@blegalgroup.com www.SmartEdgeLawGroup.com www.blegalgroup.com www.linkedin.com/in/rsantalesa 1/14/2017 29 Jon Bosco Partner eDelta Consulting Phone: (646)-205-9960 jBosco@edeltaconsulting.com LinkedIn: https://www.linkedin.com/in/jon- bosco-