NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

Transcription

1 NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO June 28, 2017 Alan Calder IT Governance Ltd PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING

2 Introduction Alan Calder Founder of IT Governance Ltd Author of IT Governance: An International Guide to Data Security and ISO 27001/27002 Led the world s first successful implementation of ISO (then BS 7799)

3 Leading global provider The single source for everything to do with cybersecurity, cyber risk management, and IT governance Our team of dedicated and knowledgeable trainers and consultants have helped over 400 organizations worldwide achieve ISO certification Our mission is to engage with business executives, senior managers, and IT professionals, and help them: Protect Comply Thrive and secure their intellectual capital with relevant regulations as they achieve strategic goals through better IT management

4 Agenda Application security program (internal and external) and review by the CISO Overview of the risk assessment policy and procedures Setting up a program specific to your organization s information systems and business operations Identifying cyber threats and how to incorporate controls Maintaining an audit trail to include detection and responses to cybersecurity events How ISO and vsrisk can provide the right tools to help you implement a successful program that meets compliance requirements 4

5 Timelines This presentation covers the following compliance deadlines 180 days (Aug. 28, 2017) 1 year 18 months 2 years Section Cybersecurity Program Section (b) CISO s Report Section Audit Trail Section Third Party Service Provider Security Policy Section Cybersecurity Policy Section Penetration Testing and Vulnerability Assessments Section Application Security Section (a) Chief Information Security Officer (CISO) Section Risk Assessment Section Limitations on Data Retention Section Access Privileges Section Multi-Factor Authentication Section (a) Training and Monitoring Section Cybersecurity Personnel and Intelligence Section (b) Training and Monitoring Section Encryption of Nonpublic Information Section Incident Response Plan

6 NYDFS cybersecurity FAQs Q: Is a Covered Entity required to certify compliance with all the requirements of 23 NYCRR 500 on February 15, 2018? A: Covered Entities are required to submit the first certification under 23 NYCRR (b) by February 15, This initial certification applies to and includes all requirements of 23 NYCRR Part 500 for which the applicable transitional period under 23 NYCRR has terminated prior to February 15, Accordingly, Covered Entities will not be required to submit certification of compliance with the requirements of 23 NYCRR (b), , , , , , , and until February 15, 2019, and certification of compliance with 23 NYCRR until February 15, Source:

7 Appointing a chief information security officer (CISO) (Section (a) 180-day requirement due by August 28, 2017) What to look for in a candidate A trustworthy advisor Understands the business processes and the organization as a whole Covered entities may choose to: Designate an internal staff member as CISO º Benefits: will have an advantage in their understanding of how the business operates, which will enable them to better assess and guide what is needed to protect the organization Outsource the role to an affiliate or third party º With this option comes the additional measure of appointing a senior-level staff member to oversee the third party º They may not have a clear picture of the business operations

8 NYDFS cybersecurity FAQs Q: To the extent a Covered Entity uses an employee of an Affiliate as its Chief Information Security Officer ("CISO"), is the Covered Entity required to satisfy the requirements of 23 NYCRR (a)(2)-(3)? A: To the extent a Covered Entity utilizes an employee of an Affiliate to serve as the Covered Entity's CISO for purposes of 23 NYCRR (a), the Affiliate is not considered a Third Party Service Provider for purposes of 23 NYCRR (a)(2)-(3). However, the Covered Entity retains full responsibility for compliance with the requirements of 23 NYCRR Part 500 at all times, including ensuring that the CISO responsible for the Covered Entity is performing the duties consistent with this Part. Source:

9 Role of the CISO (Section (b) one-year requirement) Provide an annual report to the board of directors on the cybersecurity program and associated risks The following must be taken into consideration by the CISO: The confidentiality of nonpublic information and the integrity and security of the Covered Entity s information systems The Covered Entity s cybersecurity policies and procedures Material cyber risks to the Covered Entity The overall effectiveness of the Covered Entity s cybersecurity program Material cybersecurity events involving the Covered Entity during the time period addressed by the report.

10 Application security (Section ) Within the cybersecurity program should include: Written procedures, guidelines and standards designed to ensure the use of secure development practices for internally developed applications used by the Covered Entity Procedures for evaluating, assessing or testing the security of externally developed applications used by the covered entity within the context of its technology environment All such procedures, guidelines, and standards shall be periodically reviewed, assessed, and updated as necessary by the CISO (or a qualified designee)

11 Overview of the risk assessment policy and procedures (Section ) Risk assessments of information systems should be carried out periodically to inform the design of the cybersecurity program The risk assessment must: be updated if there are any changes to information systems, nonpublic information, or business operations allow for revision of controls to respond to threats or any technological developments consider risks of operations that relate to cybersecurity, information systems, collected or stored nonpublic information, and the effectiveness of controls to protect nonpublic information and information systems be documented and implemented in accordance with written policies and procedures Policies and procedures should include: measures for the evaluation and classification of identified cybersecurity threats or risks conditions set for the assessment of the security, confidentiality and integrity, and availability of information systems and nonpublic information, including the suitability of current controls relating to identified risks a plan to determine how identified risks based on the risk assessment will be mitigated or accepted, and how the cybersecurity program will address the risks

12 NYDFS cybersecurity FAQs Q: How must a Covered Entity address cybersecurity issues with respect to its subsidiaries and other affiliates? A: When a subsidiary or other affiliate of a Covered Entity presents risks to the Covered Entity s Information Systems or the Nonpublic Information stored on those Information Systems, those risks must be evaluated and addressed in the Covered Entity s Risk Assessment, cybersecurity program and cybersecurity policies (see 23 NYCRR Sections , and , respectively). Other regulatory requirements may also apply, depending on the individual facts and circumstances. Source:

13 Setting up a program specific to your organization s information systems and business operations An effective program must place cybersecurity in the context of the business, and should be guided by two related considerations: How does cybersecurity enable the business? How does cyber risk affect the business? From this perspective, cybersecurity focuses on competitive advantage and positions itself as a business enabler. If done right, cybersecurity helps drive a consistent, high-quality customer experience. The company s technology infrastructure should be at the forefront, but a cybersecurity strategy should go further and also cover: Supply chain/third-party suppliers Product/service development Customer experience External influencers

14 Elements of a strong cybersecurity strategy Set a vision: Describe how cybersecurity protects and enables value in your company. Sharpen your priorities: Your resources are finite, so focus on critical business assets. Build the right team: Ensure your security program has an appropriate mix of skill sets, including organizational change management, crisis management, third-party risk management, and strategic communications. Enhance your controls: To reflect the widening scope of your cybersecurity strategy, you ll need to adopt new methods for treating risk. Monitor the threat: Cybersecurity requires an adaptive outlook. Maintain awareness of the threat landscape. Plan for contingencies: No one can be 100% secure, so a strong incident response capability is essential in case something undesirable happens. Incident response is not just a technology issue. Transform the culture: People are the core of the business, so cybersecurity is everyone s responsibility. Encourage their buy-in by making cybersecurity relevant to each business area.

15 New York breaches rose 60% in 2016 New York State Attorney General Eric T. Schneiderman released a summary of the year 2016, which revealed: 1,300 reported data breaches 60% increase from million New Yorkers personal records exposed

16 2016 NY breaches caused by:

17 Identifying cyber threats Threat actors Non-target specific Employees Terrorists Hacktivists Organized crime Natural disasters Nation states Competitors The threat landscape Attack vectors People Processes Technology Threat types Malware Web attacks Denial of service Social engineering Exploit kits Ransomware Other Threat targets IP Card data PII Money Reputation Commercial info

18 Resources for threat alerts Multi-State Information Sharing and Analysis Center (MS-ISAC) Provides alerts to current attacks and threats Partners with the Department of Homeland Security Free membership Financial Services Information Sharing and Analysis Center (FS-ISAC) A global financial industry's resource for cyber and threat intelligence analysis and sharing Requires a membership fee

19 Incorporating controls Cybersecurity compliance must support compliance with appropriate rules and regulations, as well as organizational policies and procedures, by: identifying risks preventing risks though the design and implementation of controls monitoring and reporting on the effectiveness of those controls resolving compliance difficulties as they occur advising and training Physical Procedural Personnel Product/Technical

20 Maintaining an audit trail to include responses to and detection of cybersecurity events (Section ) Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its risk assessment: are designed to reconstruct material financial transactions sufficient to support normal operations and obligations, for not fewer than five years include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations, for not fewer than three years Maintain 5 years Material financial transactions Maintain 3 years Audit trails of cybersecurity events

21 Annex A: 14 control categories 114 CONTROLS 5 Infosec policies 6 Organization of infosec 7 Human resources security 8 Asset management 9 Access control 10 Cryptography 11 Physical and environmental sec. 12 Operations security 13 Comms security 14 System acq., dev. & mtnce. 15 Supplier relationships 16 Infosec incident management 17 Infosec aspects of BC mgmt. 18 Compliance

22 Best-practice cyber risk management ISO and vsrisk Encompassing people, processes, and technology, ISO s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments, so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way. ISO Internationally recognized standard Best-practice solution Substantial ecosystem of implementers Coordinates multiple legal and contractual compliance requirements Built around business-focused risk assessment Balances confidentiality, integrity, availability Achieve certification in a timely and cost-effective manner vsrisk software Gives you a clear picture of your risks and threats Providing a framework to start your cybersecurity program Save time, effort, and expense

23 ISO family of standards ISO 27001:2013 ISO 27002:2013 Introduction Application Terms and definitions Security Control objectives Controls Bibliography 0 to 3 4 to 10 Annex A: A.5 to Annex A: A.18 Annex B ISO 27000: to Introduction Scope and norm ref. Terms and definitions Structure and risk ass. Security Control objectives Controls Control Implementation guidance Other info

24 Risk assessment software

25 vsrisk (v3.0) NIST, PCI DSS Watch our video >>

26 Valuable resources Next free webinar in this series NYDFS a guide to risk assessment Free green papers NYDFS Cybersecurity Requirements: º Part 1 The Regulation and the ISO standard º Part 2 Mapped alignment with ISO More information on ISO and the Regulation º Risk assessment and ISO º

27 Books, standards, training, and tools New York DFS Cybersecurity & ISO Certified ISMS online training New York DFS Cybersecurity & ISO Certified ISMS Foundation New York DFS Cybersecurity & ISO Certified ISMS Lead Implementer ISO Cybersecurity Documentation Toolkit cybersecurity-documentation-toolkit Receive 20% off this toolkit when you book a place on any New York DFS Cybersecurity & ISO Live Online course. vsrisk risk assessment software ISO standards ISO/IEC (ISO Standard) ISMS Requirements

28 IT Governance Ltd: One-stop shop All verticals, all sectors, all organizational sizes

29 Join in the conversation Subscribe to our IT Governance LinkedIn group: NYDFS Cybersecurity Requirements

30 Questions and answers