NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

Similar documents
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Addressing penetration testing and vulnerabilities, and adding verification measures

NYDFS Cybersecurity Regulations

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

NY DFS Cybersecurity Regulations August 8, 2017

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Cybersecurity and Data Protection Developments

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

What is ISO ISMS? Business Beam

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Cybersecurity requirements for financial services companies

Cyber Risks in the Boardroom Conference

New York DFS Cybersecurity Regulation:

EU General Data Protection Regulation (GDPR) Achieving compliance

TEL2813/IS2820 Security Management

Security Management Models And Practices Feb 5, 2008

_isms_27001_fnd_en_sample_set01_v2, Group A

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Nebraska CERT Conference

Canada Life Cyber Security Statement 2018

Global Statement of Business Continuity

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

CISM Certified Information Security Manager

Security and Privacy Governance Program Guidelines

Bringing Cybersecurity to the Boardroom Bret Arsenault

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

NIS, GDPR and Cyber Security: Convergence of Cyber Security and Compliance Risk

Driving Global Resilience

The Role of the Data Protection Officer

Information Security Strategy

TAN Jenny Partner PwC Singapore

GUIDANCE NOTE ON CYBERSECURITY

Manchester Metropolitan University Information Security Strategy

NCSF Foundation Certification

WELCOME ISO/IEC 27001:2017 Information Briefing

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Why you should adopt the NIST Cybersecurity Framework

Business continuity management and cyber resiliency

Protecting your data. EY s approach to data privacy and information security

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

How Secure is Blockchain? June 6 th, 2017

Background FAST FACTS

FRAMEWORKING COMPLIANCE. NYDFS Cyber Regs: BIG I. Longtime Moniker Becomes Official Name for N.Y. & N.J...PAGE 34 GUIDE TO PAID FAMILY LEAVE INSIDE!

Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m.

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Department of Management Services REQUEST FOR INFORMATION

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

External Supplier Control Obligations. Cyber Security

Cybersecurity, safety and resilience - Airline perspective

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cyber Security Program

Apex Information Security Policy

Digital Health Cyber Security Centre

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

Building a Resilient Security Posture for Effective Breach Prevention

Security Awareness Training Courses

SECURITY & PRIVACY DOCUMENTATION

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

ISO/IEC Information technology Security techniques Code of practice for information security management

Cybersecurity in Higher Ed

INFORMATION SECURITY & ISO 27001

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

Training and Certifying Security Testers Beyond Penetration Testing

ITG. Information Security Management System Manual

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

falanx Cyber ISO 27001: How and why your organisation should get certified

Oracle Data Cloud ( ODC ) Inbound Security Policies

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Cybersecurity: Federalism as Defense-in-Depth

How will cyber risk management affect tomorrow's business?

What is ISO/IEC 27001?

John Snare Chair Standards Australia Committee IT/12/4

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Cyber Security Incident Response Fighting Fire with Fire

Compliance: How to Manage (Lame) Audit Recommendations

Introduction to ISO/IEC 27001:2005

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

Information Security Controls Policy

INTELLIGENCE DRIVEN GRC FOR SECURITY

Cybersecurity and the Board of Directors

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Information Security Management System

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

01.0 Policy Responsibilities and Oversight

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

SOC for cybersecurity

BUILD YOUR CYBERSECURITY SKILLS WITH TRASYS INTERNATIONAL

IT risks and controls

Information Technology General Control Review

Cybersecurity and Nonprofit

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Transcription:

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO June 28, 2017 Alan Calder IT Governance Ltd www.itgovernanceusa.com PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING

Introduction Alan Calder Founder of IT Governance Ltd Author of IT Governance: An International Guide to Data Security and ISO 27001/27002 Led the world s first successful implementation of ISO 27001 (then BS 7799)

Leading global provider The single source for everything to do with cybersecurity, cyber risk management, and IT governance Our team of dedicated and knowledgeable trainers and consultants have helped over 400 organizations worldwide achieve ISO 27001 certification Our mission is to engage with business executives, senior managers, and IT professionals, and help them: Protect Comply Thrive and secure their intellectual capital with relevant regulations as they achieve strategic goals through better IT management

Agenda Application security program (internal and external) and review by the CISO Overview of the risk assessment policy and procedures Setting up a program specific to your organization s information systems and business operations Identifying cyber threats and how to incorporate controls Maintaining an audit trail to include detection and responses to cybersecurity events How ISO 27001 and vsrisk can provide the right tools to help you implement a successful program that meets compliance requirements 4

Timelines This presentation covers the following compliance deadlines 180 days (Aug. 28, 2017) 1 year 18 months 2 years Section 500.02 Cybersecurity Program Section 500.04 (b) CISO s Report Section 500.06 Audit Trail Section 500.11 Third Party Service Provider Security Policy Section 500.03 Cybersecurity Policy Section 500.05 Penetration Testing and Vulnerability Assessments Section 500.08 Application Security Section 500.04 (a) Chief Information Security Officer (CISO) Section 500.09 Risk Assessment Section 500.13 Limitations on Data Retention Section 500.07 Access Privileges Section 500.12 Multi-Factor Authentication Section 500.14 (a) Training and Monitoring Section 500.10 Cybersecurity Personnel and Intelligence Section 500.14 (b) Training and Monitoring Section 500.15 Encryption of Nonpublic Information Section 500.16 Incident Response Plan

NYDFS cybersecurity FAQs Q: Is a Covered Entity required to certify compliance with all the requirements of 23 NYCRR 500 on February 15, 2018? A: Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) by February 15, 2018. This initial certification applies to and includes all requirements of 23 NYCRR Part 500 for which the applicable transitional period under 23 NYCRR 500.22 has terminated prior to February 15, 2018. Accordingly, Covered Entities will not be required to submit certification of compliance with the requirements of 23 NYCRR 500.04(b), 500.05, 500.06, 500.08, 500.09, 500.12, 500.13, 500.14 and 500.15 until February 15, 2019, and certification of compliance with 23 NYCRR 500.11 until February 15, 2020. Source: http://www.dfs.ny.gov/about/cybersecurity_faqs.htm

Appointing a chief information security officer (CISO) (Section 500.04 (a) 180-day requirement due by August 28, 2017) What to look for in a candidate A trustworthy advisor Understands the business processes and the organization as a whole Covered entities may choose to: Designate an internal staff member as CISO º Benefits: will have an advantage in their understanding of how the business operates, which will enable them to better assess and guide what is needed to protect the organization Outsource the role to an affiliate or third party º With this option comes the additional measure of appointing a senior-level staff member to oversee the third party º They may not have a clear picture of the business operations

NYDFS cybersecurity FAQs Q: To the extent a Covered Entity uses an employee of an Affiliate as its Chief Information Security Officer ("CISO"), is the Covered Entity required to satisfy the requirements of 23 NYCRR 500.04(a)(2)-(3)? A: To the extent a Covered Entity utilizes an employee of an Affiliate to serve as the Covered Entity's CISO for purposes of 23 NYCRR 500.04(a), the Affiliate is not considered a Third Party Service Provider for purposes of 23 NYCRR 500.04(a)(2)-(3). However, the Covered Entity retains full responsibility for compliance with the requirements of 23 NYCRR Part 500 at all times, including ensuring that the CISO responsible for the Covered Entity is performing the duties consistent with this Part. Source: http://www.dfs.ny.gov/about/cybersecurity_faqs.htm

Role of the CISO (Section 500.04 (b) one-year requirement) Provide an annual report to the board of directors on the cybersecurity program and associated risks The following must be taken into consideration by the CISO: The confidentiality of nonpublic information and the integrity and security of the Covered Entity s information systems The Covered Entity s cybersecurity policies and procedures Material cyber risks to the Covered Entity The overall effectiveness of the Covered Entity s cybersecurity program Material cybersecurity events involving the Covered Entity during the time period addressed by the report.

Application security (Section 500.08) Within the cybersecurity program should include: Written procedures, guidelines and standards designed to ensure the use of secure development practices for internally developed applications used by the Covered Entity Procedures for evaluating, assessing or testing the security of externally developed applications used by the covered entity within the context of its technology environment All such procedures, guidelines, and standards shall be periodically reviewed, assessed, and updated as necessary by the CISO (or a qualified designee)

Overview of the risk assessment policy and procedures (Section 500.09) Risk assessments of information systems should be carried out periodically to inform the design of the cybersecurity program The risk assessment must: be updated if there are any changes to information systems, nonpublic information, or business operations allow for revision of controls to respond to threats or any technological developments consider risks of operations that relate to cybersecurity, information systems, collected or stored nonpublic information, and the effectiveness of controls to protect nonpublic information and information systems be documented and implemented in accordance with written policies and procedures Policies and procedures should include: measures for the evaluation and classification of identified cybersecurity threats or risks conditions set for the assessment of the security, confidentiality and integrity, and availability of information systems and nonpublic information, including the suitability of current controls relating to identified risks a plan to determine how identified risks based on the risk assessment will be mitigated or accepted, and how the cybersecurity program will address the risks

NYDFS cybersecurity FAQs Q: How must a Covered Entity address cybersecurity issues with respect to its subsidiaries and other affiliates? A: When a subsidiary or other affiliate of a Covered Entity presents risks to the Covered Entity s Information Systems or the Nonpublic Information stored on those Information Systems, those risks must be evaluated and addressed in the Covered Entity s Risk Assessment, cybersecurity program and cybersecurity policies (see 23 NYCRR Sections 500.09, 500.02 and 500.03, respectively). Other regulatory requirements may also apply, depending on the individual facts and circumstances. Source: http://www.dfs.ny.gov/about/cybersecurity_faqs.htm

Setting up a program specific to your organization s information systems and business operations An effective program must place cybersecurity in the context of the business, and should be guided by two related considerations: How does cybersecurity enable the business? How does cyber risk affect the business? From this perspective, cybersecurity focuses on competitive advantage and positions itself as a business enabler. If done right, cybersecurity helps drive a consistent, high-quality customer experience. The company s technology infrastructure should be at the forefront, but a cybersecurity strategy should go further and also cover: Supply chain/third-party suppliers Product/service development Customer experience External influencers

Elements of a strong cybersecurity strategy Set a vision: Describe how cybersecurity protects and enables value in your company. Sharpen your priorities: Your resources are finite, so focus on critical business assets. Build the right team: Ensure your security program has an appropriate mix of skill sets, including organizational change management, crisis management, third-party risk management, and strategic communications. Enhance your controls: To reflect the widening scope of your cybersecurity strategy, you ll need to adopt new methods for treating risk. Monitor the threat: Cybersecurity requires an adaptive outlook. Maintain awareness of the threat landscape. Plan for contingencies: No one can be 100% secure, so a strong incident response capability is essential in case something undesirable happens. Incident response is not just a technology issue. Transform the culture: People are the core of the business, so cybersecurity is everyone s responsibility. Encourage their buy-in by making cybersecurity relevant to each business area.

New York breaches rose 60% in 2016 New York State Attorney General Eric T. Schneiderman released a summary of the year 2016, which revealed: 1,300 reported data breaches 60% increase from 2015 1.6 million New Yorkers personal records exposed

2016 NY breaches caused by:

Identifying cyber threats Threat actors Non-target specific Employees Terrorists Hacktivists Organized crime Natural disasters Nation states Competitors The threat landscape Attack vectors People Processes Technology Threat types Malware Web attacks Denial of service Social engineering Exploit kits Ransomware Other Threat targets IP Card data PII Money Reputation Commercial info

Resources for threat alerts Multi-State Information Sharing and Analysis Center (MS-ISAC) Provides alerts to current attacks and threats Partners with the Department of Homeland Security Free membership https://msisac.cisecurity.org/ Financial Services Information Sharing and Analysis Center (FS-ISAC) A global financial industry's resource for cyber and threat intelligence analysis and sharing Requires a membership fee https://www.fsisac.com/

Incorporating controls Cybersecurity compliance must support compliance with appropriate rules and regulations, as well as organizational policies and procedures, by: identifying risks preventing risks though the design and implementation of controls monitoring and reporting on the effectiveness of those controls resolving compliance difficulties as they occur advising and training Physical Procedural Personnel Product/Technical

Maintaining an audit trail to include responses to and detection of cybersecurity events (Section 500.06) Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its risk assessment: are designed to reconstruct material financial transactions sufficient to support normal operations and obligations, for not fewer than five years include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations, for not fewer than three years Maintain 5 years Material financial transactions Maintain 3 years Audit trails of cybersecurity events

Annex A: 14 control categories 114 CONTROLS 5 Infosec policies 6 Organization of infosec 7 Human resources security 8 Asset management 9 Access control 10 Cryptography 11 Physical and environmental sec. 12 Operations security 13 Comms security 14 System acq., dev. & mtnce. 15 Supplier relationships 16 Infosec incident management 17 Infosec aspects of BC mgmt. 18 Compliance

Best-practice cyber risk management ISO 27001 and vsrisk Encompassing people, processes, and technology, ISO 27001 s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments, so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way. ISO 27001 Internationally recognized standard Best-practice solution Substantial ecosystem of implementers Coordinates multiple legal and contractual compliance requirements Built around business-focused risk assessment Balances confidentiality, integrity, availability Achieve certification in a timely and cost-effective manner vsrisk software Gives you a clear picture of your risks and threats Providing a framework to start your cybersecurity program Save time, effort, and expense

ISO 27000 family of standards ISO 27001:2013 ISO 27002:2013 Introduction Application Terms and definitions Security Control objectives Controls Bibliography 0 to 3 4 to 10 Annex A: A.5 to Annex A: A.18 Annex B ISO 27000:2016 1 to 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Introduction Scope and norm ref. Terms and definitions Structure and risk ass. Security Control objectives Controls Control Implementation guidance Other info

Risk assessment software

vsrisk (v3.0) NIST, PCI DSS Watch our video >>

Valuable resources Next free webinar in this series NYDFS a guide to risk assessment Free green papers NYDFS Cybersecurity Requirements: º Part 1 The Regulation and the ISO 27001 standard º Part 2 Mapped alignment with ISO 27001 More information on ISO 27001 and the Regulation º www.itgovernanceusa.com/iso27001-nydfs-cybersecurity Risk assessment and ISO 27001 º www.itgovernanceusa.com/iso27001-risk-assessment

Books, standards, training, and tools New York DFS Cybersecurity & ISO 27001 Certified ISMS online training New York DFS Cybersecurity & ISO 27001 Certified ISMS Foundation New York DFS Cybersecurity & ISO 27001 Certified ISMS Lead Implementer ISO 27001 Cybersecurity Documentation Toolkit www.itgovernanceusa.com/shop/product/iso-27001- cybersecurity-documentation-toolkit Receive 20% off this toolkit when you book a place on any New York DFS Cybersecurity & ISO 27001 Live Online course. vsrisk risk assessment software www.itgovernanceusa.com/shop/product/vsrisk-standalone-basic ISO 27001 standards ISO/IEC 27001 2013 (ISO 27001 Standard) ISMS Requirements

IT Governance Ltd: One-stop shop All verticals, all sectors, all organizational sizes

Join in the conversation Subscribe to our IT Governance LinkedIn group: NYDFS Cybersecurity Requirements www.linkedin.com/groups/8598504

Questions and answers

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback