If you are a financial institution, such as a bank or investment firm, you know that protecting the security and privacy of your financial data is a major responsibility. If you’re an institution headquartered in the state of New York, you likely know that the New York Department of Financial Services (DFS) has recently imposed a new regulatory requirement to help focus the industry on establishing and maintaining an effective security program. This program, named the 23 NYCRR Part 500 Cybersecurity Regulation, is intended to give guidance for institutions to ensure there is internal oversight, that defensive controls are in place, and adequate, regular, testing is performed. Key areas of focus include performing risk assessments specific to an institution's assets and environment, developing a cybersecurity program to help defend against attacks, and identifying individuals within the organization who are qualified to provide ongoing guidance for this program at the CISO level.
The DFS 23 NYCRR Part 500 has been in effect since March 1, 2017. As of August 28, 2017, it requires all DFS covered entities to be compliant, unless exempted. Covered entities will have until February 15, 2018 to self-certify that all requirements have been met.
nGuard makes complying with 23 NYCRR security requirements easy. We help our clients navigate the 23 NYCRR security requirements and determine the true state of their safeguards & controls. With nGuard's customizable set of assessment solutions, we can build a program that is appropriate for the size of your organization, even upon your varying needs.
From Fortune 100 clients to small businesses, our security consultants work with you to specifically tailor a solution to your compliance needs.
NYDFS 23 NYCRR Strategic Security Assessment (SSA)
The cornerstone of your 23 NYCRR Risk Analysis program is nGuard's 23 NYCRR Strategic Security Assessment (SSA). The 23 NYCRR SSA is a streamlined strategic security analysis of your institution’s financial records’ systems, as well as the other ways that financial records are transmitted, stored, or processed. This assessment is cost effective to scaling values, from that of a small bank, up to the large investment firm. The 23 NYCRR SSA evaluates the major components of your security compliance program as required by the DFS, including:
- CISO Governance
- Cybersecurity Policies
- Ongoing Risk Assessments
- Ongoing Penetration Testing & Vulnerability Assessments
- Log Monitoring & Alerting
- Access Controls & Multi-factor Authentication
- Systems, Applications, & Network Controls
- Data Governance & Privacy
- Third-party Service Provider Oversight
- Physical Controls
- Awareness Training
- Secure Data Storage & Transmission
- Incident Response & Business Continuity
NYDFS 23 NYCRR 500 Risk Assessment
For financial institutions that need a rigorous asset-centric risk analysis, nGuard's 23 NYCRR 500 Security Risk Assessment is the optimal solution. The 23 NYCRR 500 Security Risk Assessment goes beyond just assessing gaps in 23 NYCRR 500 controls and safeguards. Our Security Risk Assessment process:
- Analyzes those financial systems and data assets to identify:
- The qualitative value of the assets
- The potential threats to those assets
- The likelihood of threat occurrence
- The potential impact of each threat
- Provides a risk score for each asset
- Validates the scope of your financial data environment
The result of this intensive risk assessment is an understanding of the most at-risk financial systems and data assets, the highest priority threats, and the recommended mitigation strategies. nGuard's veteran information security assessors make the entire process easy and informative.
NYDFS 23 NYCRR 500 Compliance Methodology
Compliance with 23 NYCRR 500 isn't just about assessments; it's about the full continuum of activities required for compliance. nGuard's compliance methodology defines a flexible framework that your organization can leverage to continue & accelerate your 23 NYCRR 500 compliance efforts. Whether just starting or ready to attest to compliance, our methodology has the flexibility to attain to your specific need.
For clients just starting down the 23 NYCRR 500 compliance path, the steps to satisfy regulatory demands are spelled out below, referring to the chart above.
- Step 1 ensures that the scope of the financial records’ environments is well-defined.
- Step 2 helps ensure the initial gaps are identified, and furthermore, that appropriate corrective actions are developed.
- Step 3 illustrates the remediation of the customer’s efforts to address any identified gaps.
- Step 4 encompasses the full assessment of 23 NYCRR 500 compliance that confirms your organization’s adherence to 23 NYCRR 500 regulatory demands.
Once compliant, the methodology shifts your organization into maintenance mode. This means that nGuard can maintain your 23 NYCRR 500 compliance through ongoing 23 NYCRR 500 audits. These are required by regulations and address remediation of new issues that emerge. Furthermore, if your organization undergoes major changes, such as rapid growth or an acquisition, nGuard’s methodology is flexible enough to allow the new changes to be evaluated at Step 1, while the existing audit areas remain unaffected.
Tactical NYDFS 23 NYCRR 500 Assessments
In addition to the strategic assessments, 23 NYCRR 500 requires tactical assessments of your financial records environment. These tactical assessments help to evaluate the different ways your financial data is accessed through discovering, testing, and safely exploiting vulnerabilities in your environment. Together, these tactical assessments will identify the tangible vulnerabilities that are exploitable in your environment and give your organization specific guidance on how to resolve them.
nGuard's portfolio of tactical assessment services for 23 NYCRR 500 include:
NYDFS 23 NYCRR 500 Remediation
In many cases, in addition to assessments, customers can turn to nGuard for 23 NYCRR 500 remediation services. If your IT staff is 100% utilized or possibly doesn't have all the needed skill sets to perform the remediation, nGuard can quickly help address your issues. Furthermore, you will be better prepared for future audits. Remediation activities can take many forms and are customized for each client. Example remediation services include: