Call Now +1-714-243-6121


4 New York DFS Cybersecurity Deadlines You Should Know

New York Department of Financial Services (NYDFS) has enacted 23 NYCRR Part 500, a new regulation designed to establish a cybersecurity baseline for financial service companies, which went into effect on March 1, 2017.

Generally speaking, this mandate applies to financial services firms such as banks and insurance companies licensed by the state of New York.  That includes entities headquartered in New York state, as well as out-of-state/international entities doing business in New York.  Smaller companies that do not meet certain thresholds for employee size, annual revenue, or total assets are exempt from some of the requirements.  The full regulations and required certification can be found at:

Compliance Deadlines 23 NYCRR Part 500

While the mandate is now in effect, NYDFS has set a series of compliance deadlines to enable companies to meet all requirements over a 2 year transitional period.  As these requirements encompass people, processes, and technologies, covered entities will want to start their efforts now to meet these deadlines:

  1.  August 27, 2017-
    1. Establish a cybersecurity program based on the company’s risk assessment
    2. Implement a written cybersecurity policy based on the company’s risk assessment
    3. Designate a Chief Information Security Officer
    4. Limit access privileges based on the company’s risk assessment
    5. Establish a written third-party service provider security policy based on the company’s risk assessment
    6. Establish a written incident response plan
  1. February 28, 2018-
    1. CISO’s annual reporting to the BOD
    2. Conduct cybersecurity monitoring and testing (at minimum, annual penetration testing and bi-annual vulnerability assessments)
    3. Conduct a risk assessment sufficient to inform the design of the cybersecurity program
    4. Implement multi-factor authentication
    5. Conduct cybersecurity awareness training for all personnel
  1. September 2, 2018-
    1. Maintain systems for audit trail to detect and respond to cybersecurity events
    2. Establish procedures, guidelines and standards for application security
    3. Implement a secure data disposal policy
    4. Implement a policy to monitor user activities to detect their unauthorized data access
    5. Implement control (encryption) to protect nonpublic information
  1. February 28, 2019-
    1. Implement policies to ensure the security of systems and information that are accessible to, or held by, third-party service providers

Key Focus Areas

Three areas of NYCCR Part 500 compliance that covered entities must pay particular attention to are:

Multi-factor Authentication– The Regulation defines “Multi-Factor Authentication” as authentication through verification of at least two of (1) knowledge factors (e.g. password), (2) possession factors (e.g. token, text messages, smart cards), (3) inherence factors (e.g. biometric characteristic). Section 500.12 of the Regulation requires the use of Multi-Factor Authentication for accesses from an external network to the company’s internal networks. This section also requires effective controls to protect against unauthorized access to nonpublic information or information systems of the company, which may include Multi-Factor Authentication or Risk-Based Authentication

Audit Trail– Under Section 500.06 of the Regulation, companies must maintain a cybersecurity program that include audit trail systems designed to detect and respond to cybersecurity incidents.

Data Access Monitoring–  Section 500.14(a) of the Regulation also requires companies’ cybersecurity programs to include policies, procedures and controls designed to monitor user activities to detect unauthorized access and use of nonpublic information.

Let Us Help You

Soliton’s InfoTrace Endpoint Security and Compliance Management Solution can help covered entities accelerate their NYCRR 23 Part 500 compliance as it integrates multiple layers of endpoint security, data access control, authentication, policy enforcement and forensic reporting into a single enforcement agent and provides management and reporting from a single pane of glass.

Email us to learn more about how InfoTrace can support your cybersecurity compliance requirements.

Read More

Ugh, PCI Compliance. The 4 Steps You Need to Focus on for Success

We know, we know.  You merely consider PCI compliance and you’ve already hit overload. Now, while it provides a challenge, it really has improved protection in three significant ways:

  • Improved overall security posture and reduction in costly fines and data breaches.
  • Organizations are better prepared to detect and prevent attacks.
  • Operational efficiency is improved when policies and procedures are defined and documented.

I think maybe you’re warming up to the idea of ensuring your organization is PCI DSS compliant, so here are the 4 steps you need to focus on for success.

  1. Gap Analysis. Get your work friends together for a party! A planning/scoping party. It’s going to be fun, I promise. What you’re going to want to do is take a good look at how your organization plans and scopes policies, processes, procedures, controls and technology. Once you’ve documented all of that you’ll be ready to do the gap analysis and identify where you have gaps in compliance.
  2. Now that you know what your gaps are, you’re going to need to implement control to remediate the gaps or identify an alternative control that still gets you to your preferred state. When that’s sorted out, you’re going to need to test your theory and validate that the control actually works.
  3. PCI Assessment. Now it’s time to put it to the test. Collect sample documentation, run controls, collect evidence and assess your PCI compliance.
  4. Report on Compliance. Last but certainly not least, you’ll need to be prepared to issue a report on your compliance, have it attested and then submit that to the correct regulatory body or partner organization (such as client bank or credit card vendor).

The last thing to keep in mind is that this is a continuous process, not a “one and done” scenario. Adopt the Assess-Remediation-Report process as your regular approach and you’ll be in a good place.

For more information on how Soliton can help you achieve a continuous loop process, download our latest PCI DSS report [Download Report].

Read More

The 12 Pillars of PCI Compliance

While you may be familiar with the term PCI DSS, you may not be as familiar with the twelve comprehensive requirements that make up the security standard. These requirements are meant to provide the necessary guidance for organizations to properly secure and monitor their network, while protecting cardholder data:

  1. Deploy and maintain a firewall
  2. Change all default passwords
  3. Protect stored cardholder data
  4. Encrypt in-motion cardholder data on public networks
  5. Protect systems against malware
  6. Secure systems and applications
  7. Control restriction to cardholder data
  8. Identify and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Monitor access to network and cardholder data
  11. Test systems and processes regularly
  12. Maintain information security policy

Now, we can hear your brain shutting off as you consider where the heck to start. But don’t worry, we’re here to help. The path to success is rarely a straight one, but if you keep these 3 recommendations in mind you’ll be heading in the right direction.

  • It’s not a “one and done”. Performing a single annual assessment isn’t going to cut it. It leads to a false sense of security and you’ll wish you had invested the time to avoid trouble later on – bad trouble like a breach or theft of customer data. You’ll need to think of PCI compliance as a continuous loop process where you’re always assessing, remediation based on what you discover during assessment and reporting your findings to the appropriate groups.
  • Invest in technology that will assist, not hinder you. The temptation to go with the latest shiny new tool is hard to resist, but make sure whatever you invest in, that it’s going to provide visibility, a feedback mechanism and enable you to quickly remediation any issues as they arise.
  • Standardize your procedures. This can be a challenge to do organizations of any size, but by coordinating your efforts across various internal functions, you’ll save yourself a lot of time and hassle later on. Use the twelve pillars as your guide on where to start.

For more information on how Soliton can help, download our latest PCI DSS report [Download Report].

Read More