ny state's department cybersecurity regulation: how to gain certification within timelines
Post on 11-Apr-2017
25 Views
Preview:
TRANSCRIPT
NY Statersquos Department Cybersecurity
Regulation How to gain certification
within timelines
March 7 2017
Alan Calder
IT Governance Ltd
wwwitgovernanceusacom
PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING
Introduction
bull Alan Calder
bull Founder of IT Governance Ltd
bull Author of IT Governance An International Guide to Data Security and ISO2700127002
bull Led the worldrsquos first successful implementationof ISO 27001 (then BS 7799)
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Leading global provider
bull The single source for everything to do with cybersecurity cyber risk
management and IT governance
bull Our team of dedicated and knowledgeable trainers and consultants
have helped over 400 organizations worldwide achieve ISO 27001
certification
bull Our mission is to engage with business executives senior
managers IT professionals and to help them
Protect Comply Thrive
and secure their intellectual capital
with relevant regulations
as they achieve strategic goals through better IT management
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Agenda
bull The direct effect on your business and the transition timelines
bull How ISO 27001 the internationally recognized standard can help you achieve certification in a timely and cost-effective manner
bull Conducting a gap analysis to determine the technical and organizational measures your business will need to adopt to comply with the Regulation
bull Developing policies and procedures that comply with the Regulation
bull Additions to your cybersecurity program and policy including appointing personnel and creating an incident response plan to meet the 180-day deadline
5
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
NYDFS Cybersecurity Requirements
for Financial Services Companies
bull Calls for all NY financial institutions to implement security measures
in order to protect themselves against cyber attacks
bull Increase in cyber threats toward the financial industry
bull The Identity Theft Resource Center revealed in 2016 that financial
organizations suffered 52 breaches and 72000 records were
compromised
52breaches
72krecords
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
One of the largest attacks reported on
a financial institution yet
bull 2016 malware attack on Bangladesh Central Bankrsquos SWIFT
payment system resulted in $81 million being stolen
bull Cyber criminals attempted to make
fraudulent transfers that totalled
$951 million from the Bangladesh
Central Banks account at the
Federal Reserve Bank of New York$81m
stolen
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Financial Services one of the highest-ranked industries for breaches
bull SecurityScorecard
studied 361 global
organizations that were
breached between
Jun 2015 - Apr 2016
bull Of these financial
services organizations
accounted for
over 10
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Non-compliance and penalties
bull Under the Financial Services Law 102 201 202 301 302 and 408
the NYDFS Superintendent has the authority to
ndash Carry out civil penalties
ndash Impose fines for the non-compliance of regulations and false reporting
bull Just this year the NYDFS fined Deutsche Bank $425 million
for violating anti-money laundering laws that involved
inadequate precautions to identify compliance issues
including
ndash Inaccurate and insufficient documentation
ndash Weak risk assessment
ndash Under-resourced staff
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Threat landscape Overview
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Timelines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull The requirements became effective on March 1 2017 with the
reporting requirement kicking in on February 15 2018
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Who must comply
bull Financial services based in New Yorkndash Banking institutions
ndash Savings and loan organizations
ndash Private bankers
ndash Trust companies
ndash Insurance agencies
ndash Health insurers
ndash Check cashers
Any financial institution that falls under NYDFS supervision
bull Exemptions include companies withndash fewer than 10 employees
ndash less than $5M in revenue (over last 3 years)
ndash less than $10M in total assets
Additional exemptions of sections 50004 50005 50006 50008 50010 50012 50014 50015 and 50016 vary for entities that do not handle access possess or own non-public information
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Why ISO 27001
bull Internationally recognized standard
bull Best-practice solution
bull Substantial eco-system of implementers
bull Leading companies have implementedndash Citibank
ndash Amazon Web Services
ndash IBM
ndash Microsoft
ndash The Federal Reserve Bank of New York
bull Co-ordinates multiple legal amp contractual compliance requirements
bull Built around business-focused risk assessment
bull Balances Confidentiality Integrity Availability
bull Achieve certification in a timely and cost-effective manner
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27001
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
Introduction
bull Alan Calder
bull Founder of IT Governance Ltd
bull Author of IT Governance An International Guide to Data Security and ISO2700127002
bull Led the worldrsquos first successful implementationof ISO 27001 (then BS 7799)
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Leading global provider
bull The single source for everything to do with cybersecurity cyber risk
management and IT governance
bull Our team of dedicated and knowledgeable trainers and consultants
have helped over 400 organizations worldwide achieve ISO 27001
certification
bull Our mission is to engage with business executives senior
managers IT professionals and to help them
Protect Comply Thrive
and secure their intellectual capital
with relevant regulations
as they achieve strategic goals through better IT management
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Agenda
bull The direct effect on your business and the transition timelines
bull How ISO 27001 the internationally recognized standard can help you achieve certification in a timely and cost-effective manner
bull Conducting a gap analysis to determine the technical and organizational measures your business will need to adopt to comply with the Regulation
bull Developing policies and procedures that comply with the Regulation
bull Additions to your cybersecurity program and policy including appointing personnel and creating an incident response plan to meet the 180-day deadline
5
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
NYDFS Cybersecurity Requirements
for Financial Services Companies
bull Calls for all NY financial institutions to implement security measures
in order to protect themselves against cyber attacks
bull Increase in cyber threats toward the financial industry
bull The Identity Theft Resource Center revealed in 2016 that financial
organizations suffered 52 breaches and 72000 records were
compromised
52breaches
72krecords
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
One of the largest attacks reported on
a financial institution yet
bull 2016 malware attack on Bangladesh Central Bankrsquos SWIFT
payment system resulted in $81 million being stolen
bull Cyber criminals attempted to make
fraudulent transfers that totalled
$951 million from the Bangladesh
Central Banks account at the
Federal Reserve Bank of New York$81m
stolen
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Financial Services one of the highest-ranked industries for breaches
bull SecurityScorecard
studied 361 global
organizations that were
breached between
Jun 2015 - Apr 2016
bull Of these financial
services organizations
accounted for
over 10
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Non-compliance and penalties
bull Under the Financial Services Law 102 201 202 301 302 and 408
the NYDFS Superintendent has the authority to
ndash Carry out civil penalties
ndash Impose fines for the non-compliance of regulations and false reporting
bull Just this year the NYDFS fined Deutsche Bank $425 million
for violating anti-money laundering laws that involved
inadequate precautions to identify compliance issues
including
ndash Inaccurate and insufficient documentation
ndash Weak risk assessment
ndash Under-resourced staff
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Threat landscape Overview
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Timelines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull The requirements became effective on March 1 2017 with the
reporting requirement kicking in on February 15 2018
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Who must comply
bull Financial services based in New Yorkndash Banking institutions
ndash Savings and loan organizations
ndash Private bankers
ndash Trust companies
ndash Insurance agencies
ndash Health insurers
ndash Check cashers
Any financial institution that falls under NYDFS supervision
bull Exemptions include companies withndash fewer than 10 employees
ndash less than $5M in revenue (over last 3 years)
ndash less than $10M in total assets
Additional exemptions of sections 50004 50005 50006 50008 50010 50012 50014 50015 and 50016 vary for entities that do not handle access possess or own non-public information
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Why ISO 27001
bull Internationally recognized standard
bull Best-practice solution
bull Substantial eco-system of implementers
bull Leading companies have implementedndash Citibank
ndash Amazon Web Services
ndash IBM
ndash Microsoft
ndash The Federal Reserve Bank of New York
bull Co-ordinates multiple legal amp contractual compliance requirements
bull Built around business-focused risk assessment
bull Balances Confidentiality Integrity Availability
bull Achieve certification in a timely and cost-effective manner
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27001
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Leading global provider
bull The single source for everything to do with cybersecurity cyber risk
management and IT governance
bull Our team of dedicated and knowledgeable trainers and consultants
have helped over 400 organizations worldwide achieve ISO 27001
certification
bull Our mission is to engage with business executives senior
managers IT professionals and to help them
Protect Comply Thrive
and secure their intellectual capital
with relevant regulations
as they achieve strategic goals through better IT management
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Agenda
bull The direct effect on your business and the transition timelines
bull How ISO 27001 the internationally recognized standard can help you achieve certification in a timely and cost-effective manner
bull Conducting a gap analysis to determine the technical and organizational measures your business will need to adopt to comply with the Regulation
bull Developing policies and procedures that comply with the Regulation
bull Additions to your cybersecurity program and policy including appointing personnel and creating an incident response plan to meet the 180-day deadline
5
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
NYDFS Cybersecurity Requirements
for Financial Services Companies
bull Calls for all NY financial institutions to implement security measures
in order to protect themselves against cyber attacks
bull Increase in cyber threats toward the financial industry
bull The Identity Theft Resource Center revealed in 2016 that financial
organizations suffered 52 breaches and 72000 records were
compromised
52breaches
72krecords
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
One of the largest attacks reported on
a financial institution yet
bull 2016 malware attack on Bangladesh Central Bankrsquos SWIFT
payment system resulted in $81 million being stolen
bull Cyber criminals attempted to make
fraudulent transfers that totalled
$951 million from the Bangladesh
Central Banks account at the
Federal Reserve Bank of New York$81m
stolen
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Financial Services one of the highest-ranked industries for breaches
bull SecurityScorecard
studied 361 global
organizations that were
breached between
Jun 2015 - Apr 2016
bull Of these financial
services organizations
accounted for
over 10
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Non-compliance and penalties
bull Under the Financial Services Law 102 201 202 301 302 and 408
the NYDFS Superintendent has the authority to
ndash Carry out civil penalties
ndash Impose fines for the non-compliance of regulations and false reporting
bull Just this year the NYDFS fined Deutsche Bank $425 million
for violating anti-money laundering laws that involved
inadequate precautions to identify compliance issues
including
ndash Inaccurate and insufficient documentation
ndash Weak risk assessment
ndash Under-resourced staff
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Threat landscape Overview
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Timelines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull The requirements became effective on March 1 2017 with the
reporting requirement kicking in on February 15 2018
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Who must comply
bull Financial services based in New Yorkndash Banking institutions
ndash Savings and loan organizations
ndash Private bankers
ndash Trust companies
ndash Insurance agencies
ndash Health insurers
ndash Check cashers
Any financial institution that falls under NYDFS supervision
bull Exemptions include companies withndash fewer than 10 employees
ndash less than $5M in revenue (over last 3 years)
ndash less than $10M in total assets
Additional exemptions of sections 50004 50005 50006 50008 50010 50012 50014 50015 and 50016 vary for entities that do not handle access possess or own non-public information
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Why ISO 27001
bull Internationally recognized standard
bull Best-practice solution
bull Substantial eco-system of implementers
bull Leading companies have implementedndash Citibank
ndash Amazon Web Services
ndash IBM
ndash Microsoft
ndash The Federal Reserve Bank of New York
bull Co-ordinates multiple legal amp contractual compliance requirements
bull Built around business-focused risk assessment
bull Balances Confidentiality Integrity Availability
bull Achieve certification in a timely and cost-effective manner
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27001
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Agenda
bull The direct effect on your business and the transition timelines
bull How ISO 27001 the internationally recognized standard can help you achieve certification in a timely and cost-effective manner
bull Conducting a gap analysis to determine the technical and organizational measures your business will need to adopt to comply with the Regulation
bull Developing policies and procedures that comply with the Regulation
bull Additions to your cybersecurity program and policy including appointing personnel and creating an incident response plan to meet the 180-day deadline
5
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
NYDFS Cybersecurity Requirements
for Financial Services Companies
bull Calls for all NY financial institutions to implement security measures
in order to protect themselves against cyber attacks
bull Increase in cyber threats toward the financial industry
bull The Identity Theft Resource Center revealed in 2016 that financial
organizations suffered 52 breaches and 72000 records were
compromised
52breaches
72krecords
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
One of the largest attacks reported on
a financial institution yet
bull 2016 malware attack on Bangladesh Central Bankrsquos SWIFT
payment system resulted in $81 million being stolen
bull Cyber criminals attempted to make
fraudulent transfers that totalled
$951 million from the Bangladesh
Central Banks account at the
Federal Reserve Bank of New York$81m
stolen
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Financial Services one of the highest-ranked industries for breaches
bull SecurityScorecard
studied 361 global
organizations that were
breached between
Jun 2015 - Apr 2016
bull Of these financial
services organizations
accounted for
over 10
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Non-compliance and penalties
bull Under the Financial Services Law 102 201 202 301 302 and 408
the NYDFS Superintendent has the authority to
ndash Carry out civil penalties
ndash Impose fines for the non-compliance of regulations and false reporting
bull Just this year the NYDFS fined Deutsche Bank $425 million
for violating anti-money laundering laws that involved
inadequate precautions to identify compliance issues
including
ndash Inaccurate and insufficient documentation
ndash Weak risk assessment
ndash Under-resourced staff
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Threat landscape Overview
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Timelines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull The requirements became effective on March 1 2017 with the
reporting requirement kicking in on February 15 2018
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Who must comply
bull Financial services based in New Yorkndash Banking institutions
ndash Savings and loan organizations
ndash Private bankers
ndash Trust companies
ndash Insurance agencies
ndash Health insurers
ndash Check cashers
Any financial institution that falls under NYDFS supervision
bull Exemptions include companies withndash fewer than 10 employees
ndash less than $5M in revenue (over last 3 years)
ndash less than $10M in total assets
Additional exemptions of sections 50004 50005 50006 50008 50010 50012 50014 50015 and 50016 vary for entities that do not handle access possess or own non-public information
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Why ISO 27001
bull Internationally recognized standard
bull Best-practice solution
bull Substantial eco-system of implementers
bull Leading companies have implementedndash Citibank
ndash Amazon Web Services
ndash IBM
ndash Microsoft
ndash The Federal Reserve Bank of New York
bull Co-ordinates multiple legal amp contractual compliance requirements
bull Built around business-focused risk assessment
bull Balances Confidentiality Integrity Availability
bull Achieve certification in a timely and cost-effective manner
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27001
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Agenda
bull The direct effect on your business and the transition timelines
bull How ISO 27001 the internationally recognized standard can help you achieve certification in a timely and cost-effective manner
bull Conducting a gap analysis to determine the technical and organizational measures your business will need to adopt to comply with the Regulation
bull Developing policies and procedures that comply with the Regulation
bull Additions to your cybersecurity program and policy including appointing personnel and creating an incident response plan to meet the 180-day deadline
5
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
NYDFS Cybersecurity Requirements
for Financial Services Companies
bull Calls for all NY financial institutions to implement security measures
in order to protect themselves against cyber attacks
bull Increase in cyber threats toward the financial industry
bull The Identity Theft Resource Center revealed in 2016 that financial
organizations suffered 52 breaches and 72000 records were
compromised
52breaches
72krecords
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
One of the largest attacks reported on
a financial institution yet
bull 2016 malware attack on Bangladesh Central Bankrsquos SWIFT
payment system resulted in $81 million being stolen
bull Cyber criminals attempted to make
fraudulent transfers that totalled
$951 million from the Bangladesh
Central Banks account at the
Federal Reserve Bank of New York$81m
stolen
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Financial Services one of the highest-ranked industries for breaches
bull SecurityScorecard
studied 361 global
organizations that were
breached between
Jun 2015 - Apr 2016
bull Of these financial
services organizations
accounted for
over 10
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Non-compliance and penalties
bull Under the Financial Services Law 102 201 202 301 302 and 408
the NYDFS Superintendent has the authority to
ndash Carry out civil penalties
ndash Impose fines for the non-compliance of regulations and false reporting
bull Just this year the NYDFS fined Deutsche Bank $425 million
for violating anti-money laundering laws that involved
inadequate precautions to identify compliance issues
including
ndash Inaccurate and insufficient documentation
ndash Weak risk assessment
ndash Under-resourced staff
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Threat landscape Overview
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Timelines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull The requirements became effective on March 1 2017 with the
reporting requirement kicking in on February 15 2018
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Who must comply
bull Financial services based in New Yorkndash Banking institutions
ndash Savings and loan organizations
ndash Private bankers
ndash Trust companies
ndash Insurance agencies
ndash Health insurers
ndash Check cashers
Any financial institution that falls under NYDFS supervision
bull Exemptions include companies withndash fewer than 10 employees
ndash less than $5M in revenue (over last 3 years)
ndash less than $10M in total assets
Additional exemptions of sections 50004 50005 50006 50008 50010 50012 50014 50015 and 50016 vary for entities that do not handle access possess or own non-public information
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Why ISO 27001
bull Internationally recognized standard
bull Best-practice solution
bull Substantial eco-system of implementers
bull Leading companies have implementedndash Citibank
ndash Amazon Web Services
ndash IBM
ndash Microsoft
ndash The Federal Reserve Bank of New York
bull Co-ordinates multiple legal amp contractual compliance requirements
bull Built around business-focused risk assessment
bull Balances Confidentiality Integrity Availability
bull Achieve certification in a timely and cost-effective manner
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27001
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
NYDFS Cybersecurity Requirements
for Financial Services Companies
bull Calls for all NY financial institutions to implement security measures
in order to protect themselves against cyber attacks
bull Increase in cyber threats toward the financial industry
bull The Identity Theft Resource Center revealed in 2016 that financial
organizations suffered 52 breaches and 72000 records were
compromised
52breaches
72krecords
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
One of the largest attacks reported on
a financial institution yet
bull 2016 malware attack on Bangladesh Central Bankrsquos SWIFT
payment system resulted in $81 million being stolen
bull Cyber criminals attempted to make
fraudulent transfers that totalled
$951 million from the Bangladesh
Central Banks account at the
Federal Reserve Bank of New York$81m
stolen
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Financial Services one of the highest-ranked industries for breaches
bull SecurityScorecard
studied 361 global
organizations that were
breached between
Jun 2015 - Apr 2016
bull Of these financial
services organizations
accounted for
over 10
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Non-compliance and penalties
bull Under the Financial Services Law 102 201 202 301 302 and 408
the NYDFS Superintendent has the authority to
ndash Carry out civil penalties
ndash Impose fines for the non-compliance of regulations and false reporting
bull Just this year the NYDFS fined Deutsche Bank $425 million
for violating anti-money laundering laws that involved
inadequate precautions to identify compliance issues
including
ndash Inaccurate and insufficient documentation
ndash Weak risk assessment
ndash Under-resourced staff
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Threat landscape Overview
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Timelines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull The requirements became effective on March 1 2017 with the
reporting requirement kicking in on February 15 2018
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Who must comply
bull Financial services based in New Yorkndash Banking institutions
ndash Savings and loan organizations
ndash Private bankers
ndash Trust companies
ndash Insurance agencies
ndash Health insurers
ndash Check cashers
Any financial institution that falls under NYDFS supervision
bull Exemptions include companies withndash fewer than 10 employees
ndash less than $5M in revenue (over last 3 years)
ndash less than $10M in total assets
Additional exemptions of sections 50004 50005 50006 50008 50010 50012 50014 50015 and 50016 vary for entities that do not handle access possess or own non-public information
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Why ISO 27001
bull Internationally recognized standard
bull Best-practice solution
bull Substantial eco-system of implementers
bull Leading companies have implementedndash Citibank
ndash Amazon Web Services
ndash IBM
ndash Microsoft
ndash The Federal Reserve Bank of New York
bull Co-ordinates multiple legal amp contractual compliance requirements
bull Built around business-focused risk assessment
bull Balances Confidentiality Integrity Availability
bull Achieve certification in a timely and cost-effective manner
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27001
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
One of the largest attacks reported on
a financial institution yet
bull 2016 malware attack on Bangladesh Central Bankrsquos SWIFT
payment system resulted in $81 million being stolen
bull Cyber criminals attempted to make
fraudulent transfers that totalled
$951 million from the Bangladesh
Central Banks account at the
Federal Reserve Bank of New York$81m
stolen
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Financial Services one of the highest-ranked industries for breaches
bull SecurityScorecard
studied 361 global
organizations that were
breached between
Jun 2015 - Apr 2016
bull Of these financial
services organizations
accounted for
over 10
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Non-compliance and penalties
bull Under the Financial Services Law 102 201 202 301 302 and 408
the NYDFS Superintendent has the authority to
ndash Carry out civil penalties
ndash Impose fines for the non-compliance of regulations and false reporting
bull Just this year the NYDFS fined Deutsche Bank $425 million
for violating anti-money laundering laws that involved
inadequate precautions to identify compliance issues
including
ndash Inaccurate and insufficient documentation
ndash Weak risk assessment
ndash Under-resourced staff
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Threat landscape Overview
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Timelines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull The requirements became effective on March 1 2017 with the
reporting requirement kicking in on February 15 2018
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Who must comply
bull Financial services based in New Yorkndash Banking institutions
ndash Savings and loan organizations
ndash Private bankers
ndash Trust companies
ndash Insurance agencies
ndash Health insurers
ndash Check cashers
Any financial institution that falls under NYDFS supervision
bull Exemptions include companies withndash fewer than 10 employees
ndash less than $5M in revenue (over last 3 years)
ndash less than $10M in total assets
Additional exemptions of sections 50004 50005 50006 50008 50010 50012 50014 50015 and 50016 vary for entities that do not handle access possess or own non-public information
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Why ISO 27001
bull Internationally recognized standard
bull Best-practice solution
bull Substantial eco-system of implementers
bull Leading companies have implementedndash Citibank
ndash Amazon Web Services
ndash IBM
ndash Microsoft
ndash The Federal Reserve Bank of New York
bull Co-ordinates multiple legal amp contractual compliance requirements
bull Built around business-focused risk assessment
bull Balances Confidentiality Integrity Availability
bull Achieve certification in a timely and cost-effective manner
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27001
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Financial Services one of the highest-ranked industries for breaches
bull SecurityScorecard
studied 361 global
organizations that were
breached between
Jun 2015 - Apr 2016
bull Of these financial
services organizations
accounted for
over 10
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Non-compliance and penalties
bull Under the Financial Services Law 102 201 202 301 302 and 408
the NYDFS Superintendent has the authority to
ndash Carry out civil penalties
ndash Impose fines for the non-compliance of regulations and false reporting
bull Just this year the NYDFS fined Deutsche Bank $425 million
for violating anti-money laundering laws that involved
inadequate precautions to identify compliance issues
including
ndash Inaccurate and insufficient documentation
ndash Weak risk assessment
ndash Under-resourced staff
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Threat landscape Overview
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Timelines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull The requirements became effective on March 1 2017 with the
reporting requirement kicking in on February 15 2018
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Who must comply
bull Financial services based in New Yorkndash Banking institutions
ndash Savings and loan organizations
ndash Private bankers
ndash Trust companies
ndash Insurance agencies
ndash Health insurers
ndash Check cashers
Any financial institution that falls under NYDFS supervision
bull Exemptions include companies withndash fewer than 10 employees
ndash less than $5M in revenue (over last 3 years)
ndash less than $10M in total assets
Additional exemptions of sections 50004 50005 50006 50008 50010 50012 50014 50015 and 50016 vary for entities that do not handle access possess or own non-public information
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Why ISO 27001
bull Internationally recognized standard
bull Best-practice solution
bull Substantial eco-system of implementers
bull Leading companies have implementedndash Citibank
ndash Amazon Web Services
ndash IBM
ndash Microsoft
ndash The Federal Reserve Bank of New York
bull Co-ordinates multiple legal amp contractual compliance requirements
bull Built around business-focused risk assessment
bull Balances Confidentiality Integrity Availability
bull Achieve certification in a timely and cost-effective manner
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27001
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Non-compliance and penalties
bull Under the Financial Services Law 102 201 202 301 302 and 408
the NYDFS Superintendent has the authority to
ndash Carry out civil penalties
ndash Impose fines for the non-compliance of regulations and false reporting
bull Just this year the NYDFS fined Deutsche Bank $425 million
for violating anti-money laundering laws that involved
inadequate precautions to identify compliance issues
including
ndash Inaccurate and insufficient documentation
ndash Weak risk assessment
ndash Under-resourced staff
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Threat landscape Overview
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Timelines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull The requirements became effective on March 1 2017 with the
reporting requirement kicking in on February 15 2018
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Who must comply
bull Financial services based in New Yorkndash Banking institutions
ndash Savings and loan organizations
ndash Private bankers
ndash Trust companies
ndash Insurance agencies
ndash Health insurers
ndash Check cashers
Any financial institution that falls under NYDFS supervision
bull Exemptions include companies withndash fewer than 10 employees
ndash less than $5M in revenue (over last 3 years)
ndash less than $10M in total assets
Additional exemptions of sections 50004 50005 50006 50008 50010 50012 50014 50015 and 50016 vary for entities that do not handle access possess or own non-public information
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Why ISO 27001
bull Internationally recognized standard
bull Best-practice solution
bull Substantial eco-system of implementers
bull Leading companies have implementedndash Citibank
ndash Amazon Web Services
ndash IBM
ndash Microsoft
ndash The Federal Reserve Bank of New York
bull Co-ordinates multiple legal amp contractual compliance requirements
bull Built around business-focused risk assessment
bull Balances Confidentiality Integrity Availability
bull Achieve certification in a timely and cost-effective manner
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27001
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Threat landscape Overview
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Timelines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull The requirements became effective on March 1 2017 with the
reporting requirement kicking in on February 15 2018
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Who must comply
bull Financial services based in New Yorkndash Banking institutions
ndash Savings and loan organizations
ndash Private bankers
ndash Trust companies
ndash Insurance agencies
ndash Health insurers
ndash Check cashers
Any financial institution that falls under NYDFS supervision
bull Exemptions include companies withndash fewer than 10 employees
ndash less than $5M in revenue (over last 3 years)
ndash less than $10M in total assets
Additional exemptions of sections 50004 50005 50006 50008 50010 50012 50014 50015 and 50016 vary for entities that do not handle access possess or own non-public information
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Why ISO 27001
bull Internationally recognized standard
bull Best-practice solution
bull Substantial eco-system of implementers
bull Leading companies have implementedndash Citibank
ndash Amazon Web Services
ndash IBM
ndash Microsoft
ndash The Federal Reserve Bank of New York
bull Co-ordinates multiple legal amp contractual compliance requirements
bull Built around business-focused risk assessment
bull Balances Confidentiality Integrity Availability
bull Achieve certification in a timely and cost-effective manner
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27001
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Timelines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull The requirements became effective on March 1 2017 with the
reporting requirement kicking in on February 15 2018
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Who must comply
bull Financial services based in New Yorkndash Banking institutions
ndash Savings and loan organizations
ndash Private bankers
ndash Trust companies
ndash Insurance agencies
ndash Health insurers
ndash Check cashers
Any financial institution that falls under NYDFS supervision
bull Exemptions include companies withndash fewer than 10 employees
ndash less than $5M in revenue (over last 3 years)
ndash less than $10M in total assets
Additional exemptions of sections 50004 50005 50006 50008 50010 50012 50014 50015 and 50016 vary for entities that do not handle access possess or own non-public information
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Why ISO 27001
bull Internationally recognized standard
bull Best-practice solution
bull Substantial eco-system of implementers
bull Leading companies have implementedndash Citibank
ndash Amazon Web Services
ndash IBM
ndash Microsoft
ndash The Federal Reserve Bank of New York
bull Co-ordinates multiple legal amp contractual compliance requirements
bull Built around business-focused risk assessment
bull Balances Confidentiality Integrity Availability
bull Achieve certification in a timely and cost-effective manner
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27001
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Who must comply
bull Financial services based in New Yorkndash Banking institutions
ndash Savings and loan organizations
ndash Private bankers
ndash Trust companies
ndash Insurance agencies
ndash Health insurers
ndash Check cashers
Any financial institution that falls under NYDFS supervision
bull Exemptions include companies withndash fewer than 10 employees
ndash less than $5M in revenue (over last 3 years)
ndash less than $10M in total assets
Additional exemptions of sections 50004 50005 50006 50008 50010 50012 50014 50015 and 50016 vary for entities that do not handle access possess or own non-public information
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Why ISO 27001
bull Internationally recognized standard
bull Best-practice solution
bull Substantial eco-system of implementers
bull Leading companies have implementedndash Citibank
ndash Amazon Web Services
ndash IBM
ndash Microsoft
ndash The Federal Reserve Bank of New York
bull Co-ordinates multiple legal amp contractual compliance requirements
bull Built around business-focused risk assessment
bull Balances Confidentiality Integrity Availability
bull Achieve certification in a timely and cost-effective manner
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27001
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Why ISO 27001
bull Internationally recognized standard
bull Best-practice solution
bull Substantial eco-system of implementers
bull Leading companies have implementedndash Citibank
ndash Amazon Web Services
ndash IBM
ndash Microsoft
ndash The Federal Reserve Bank of New York
bull Co-ordinates multiple legal amp contractual compliance requirements
bull Built around business-focused risk assessment
bull Balances Confidentiality Integrity Availability
bull Achieve certification in a timely and cost-effective manner
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27001
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27001
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Gap analysisrisk assessment(Cybersecurity Program 5002)
bull A cybersecurity program must be informed by the results of a risk
assessment which determines the risks facing the organization its
information and its information systems
ndash This will enable the organization to select the relevant controls and additional
measures that might be applicable
bull Report on the state of organizational compliance
ndash A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Developing policies and procedures (Cybersecurity Policy Section 5003)
bull Information security
bull Data governance and classification
bull Asset inventory and device management
bull Access controls and identity management
bull Business continuity and disaster recovery planning and resources
bull Systems operations and availability concerns
bull Systems and network security
bull Systems and network monitoring
bull Physical security and environmental controls
bull Customer data privacy
bull Vendor and third-party service provider management
bull Risk assessment
bull Incident response
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing personnel(Section 50010)
bull Cybersecurity personnel and intelligence
bull Integrated approach
bull Correct mix of skills are available and maintained
bull Awareness appropriate for cybersecurity issues
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incident response plan(Section 50016)
bull The Regulation requires a written incident response plan
bull An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk Assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
top related