ny state’s cybersecurity legislation · its chief information security officer...
TRANSCRIPT
NY State’s Cybersecurity Legislation
Requirements for Risk Management, Security of
Applications, and the Appointed CISO
June 28, 2017
Alan Calder
IT Governance Ltd
www.itgovernanceusa.com
PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING
Introduction
• Alan Calder
• Founder of IT Governance Ltd
• Author of IT Governance: An International Guide to Data Security and ISO 27001/27002
• Led the world’s first successful implementationof ISO 27001 (then BS 7799)
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Leading global provider
• The single source for everything to do with cybersecurity, cyber risk
management, and IT governance
• Our team of dedicated and knowledgeable trainers and consultants
have helped over 400 organizations worldwide achieve ISO 27001
certification
• Our mission is to engage with business executives, senior
managers, and IT professionals, and help them:
Protect Comply Thrive
and secure their intellectual capital
with relevant regulations
as they achieve strategic goals through better IT management
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Agenda
• Application security program (internal and external) and review
by the CISO
• Overview of the risk assessment policy and procedures
• Setting up a program specific to your organization’s information
systems and business operations
• Identifying cyber threats and how to incorporate controls
• Maintaining an audit trail to include detection and responses to
cybersecurity events
• How ISO 27001 and vsRisk™ can provide the right tools to help
you implement a successful program that meets compliance
requirements
4
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Timelines
180 days (Aug. 28, 2017) 1 year 18 months 2 years
Section 500.02 Cybersecurity Program
Section 500.04 (b) CISO’s Report
Section 500.06 Audit Trail
Section 500.11 Third Party Service Provider Security Policy
Section 500.03 Cybersecurity Policy
Section 500.05 Penetration Testing and Vulnerability Assessments
Section 500.08 Application Security
Section 500.04 (a) Chief Information Security Officer (CISO)
Section 500.09 Risk Assessment
Section 500.13 Limitations on Data Retention
Section 500.07 Access Privileges
Section 500.12 Multi-Factor Authentication
Section 500.14 (a)Training and Monitoring
Section 500.10 Cybersecurity Personnel and Intelligence
Section 500.14 (b)Training and Monitoring
Section 500.15 Encryption of Nonpublic Information
Section 500.16 Incident Response Plan
• This presentation covers the following compliance deadlines
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
NYDFS cybersecurity FAQs
Q: Is a Covered Entity required to certify compliance with all the
requirements of 23 NYCRR 500 on February 15, 2018?
A: Covered Entities are required to submit the first certification under 23
NYCRR 500.17(b) by February 15, 2018. This initial certification applies to and
includes all requirements of 23 NYCRR Part 500 for which the applicable
transitional period under 23 NYCRR 500.22 has terminated prior to February
15, 2018.
Accordingly, Covered Entities will not be required to submit certification of
compliance with the requirements of 23 NYCRR 500.04(b), 500.05, 500.06,
500.08, 500.09, 500.12, 500.13, 500.14 and 500.15 until February 15, 2019,
and certification of compliance with 23 NYCRR 500.11 until February 15, 2020.
Source: http://www.dfs.ny.gov/about/cybersecurity_faqs.htm
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Appointing a chief information security
officer (CISO) (Section 500.04 (a) 180-day requirement due by
August 28, 2017)
• What to look for in a candidate
– A trustworthy advisor
– Understands the business processes and the organization as a whole
• Covered entities may choose to:
– Designate an internal staff member as CISOº Benefits: will have an advantage in their understanding of how the business operates, which will
enable them to better assess and guide what is needed to protect the organization
– Outsource the role to an affiliate or third partyº With this option comes the additional measure of appointing a senior-level staff member to oversee
the third party
º They may not have a clear picture of the business operations
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
NYDFS cybersecurity FAQs
Q: To the extent a Covered Entity uses an employee of an Affiliate as
its Chief Information Security Officer ("CISO"), is the Covered Entity
required to satisfy the requirements of 23 NYCRR 500.04(a)(2)-(3)?
A: To the extent a Covered Entity utilizes an employee of an Affiliate to
serve as the Covered Entity's CISO for purposes of 23 NYCRR 500.04(a), the
Affiliate is not considered a Third Party Service Provider for purposes of 23
NYCRR 500.04(a)(2)-(3).
However, the Covered Entity retains full responsibility for compliance with the
requirements of 23 NYCRR Part 500 at all times, including ensuring that the
CISO responsible for the Covered Entity is performing the duties consistent
with this Part.
Source: http://www.dfs.ny.gov/about/cybersecurity_faqs.htm
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Role of the CISO (Section 500.04 (b) one-year requirement)
• Provide an annual report to the board of directors on the
cybersecurity program and associated risks
• The following must be taken into consideration by the CISO:
– The confidentiality of nonpublic information and the integrity and
security of the Covered Entity’s information systems
– The Covered Entity’s cybersecurity policies and procedures
– Material cyber risks to the Covered Entity
– The overall effectiveness of the Covered Entity’s cybersecurity program
– Material cybersecurity events involving the Covered Entity during the
time period addressed by the report.
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Application security (Section 500.08)
• Within the cybersecurity program should include:
– Written procedures, guidelines and standards designed to ensure the use of
secure development practices for internally developed applications used by the
Covered Entity
– Procedures for evaluating, assessing or testing the security of externally
developed applications used by the covered entity within the context of its
technology environment
• All such procedures, guidelines, and standards shall be periodically
reviewed, assessed, and updated as necessary by the CISO (or a
qualified designee)
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Overview of the risk assessment policy and procedures (Section 500.09)
• Risk assessments of information systems should be carried out periodically
to inform the design of the cybersecurity program
• The risk assessment must:– be updated if there are any changes to information systems, nonpublic information, or
business operations
– allow for revision of controls to respond to threats or any technological developments
– consider risks of operations that relate to cybersecurity, information systems, collected or
stored nonpublic information, and the effectiveness of controls to protect nonpublic
information and information systems
– be documented and implemented in accordance with written policies and procedures
• Policies and procedures should include:– measures for the evaluation and classification of identified cybersecurity threats or risks
– conditions set for the assessment of the security, confidentiality and integrity, and availability
of information systems and nonpublic information, including the suitability of current controls
relating to identified risks
– a plan to determine how identified risks based on the risk assessment will be mitigated or
accepted, and how the cybersecurity program will address the risks
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
NYDFS cybersecurity FAQs
Q: How must a Covered Entity address cybersecurity issues with
respect to its subsidiaries and other affiliates?
A: When a subsidiary or other affiliate of a Covered Entity presents risks to
the Covered Entity’s Information Systems or the Nonpublic Information stored
on those Information Systems, those risks must be evaluated and addressed
in the Covered Entity’s Risk Assessment, cybersecurity program and
cybersecurity policies (see 23 NYCRR Sections 500.09, 500.02 and 500.03,
respectively).
Other regulatory requirements may also apply, depending on the individual
facts and circumstances.
Source: http://www.dfs.ny.gov/about/cybersecurity_faqs.htm
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Setting up a program specific to your
organization’s information systems and
business operations
• An effective program must place cybersecurity in the context of the business, and should be guided by two related considerations:– How does cybersecurity enable the business?
– How does cyber risk affect the business?
• From this perspective, cybersecurity focuses on competitive advantage and positions itself as a business enabler. If done right, cybersecurity helps drive a consistent, high-quality customer experience.
• The company’s technology infrastructure should be at the forefront, but a cybersecurity strategy should go further and also cover:– Supply chain/third-party suppliers
– Product/service development
– Customer experience
– External influencers
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Elements of a strong cybersecurity
strategy
• Set a vision: Describe how cybersecurity protects and enables value in your company.
• Sharpen your priorities: Your resources are finite, so focus on critical business assets.
• Build the right team: Ensure your security program has an appropriate mix of skill sets, including organizational change management, crisis management, third-party risk management, and strategic communications.
• Enhance your controls: To reflect the widening scope of your cybersecurity strategy, you’ll need to adopt new methods for treating risk.
• Monitor the threat: Cybersecurity requires an adaptive outlook. Maintain awareness of the threat landscape.
• Plan for contingencies: No one can be 100% secure, so a strong incident response capability is essential in case something undesirable happens. Incident response is not just a technology issue.
• Transform the culture: People are the core of the business, so cybersecurity is everyone’s responsibility. Encourage their buy-in by making cybersecurity relevant to each business area.
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
New York breaches rose 60% in 2016
New York State Attorney General Eric T. Schneiderman released a
summary of the year 2016, which revealed:
• 1,300 reported data breaches
• 60% increase from 2015
• 1.6 million New Yorkers’ personal records exposed
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
2016 NY breaches caused by:
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
The threat landscape
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Other
Threat types
Identifying cyber threats
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Resources for threat alerts
• Multi-State Information Sharing and Analysis Center (MS-ISAC)
– Provides alerts to current attacks and threats
– Partners with the Department of Homeland Security
– Free membership
– https://msisac.cisecurity.org/
• Financial Services Information Sharing and Analysis Center
(FS-ISAC)
– A global financial industry's resource for cyber and threat intelligence analysis
and sharing
– Requires a membership fee
– https://www.fsisac.com/
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Incorporating controls
• Cybersecurity compliance must
support compliance with
appropriate rules and regulations,
as well as organizational policies
and procedures, by:
– identifying risks
– preventing risks though the design
and implementation of controls
– monitoring and reporting on the
effectiveness of those controls
– resolving compliance difficulties as
they occur
– advising and training
Physical Personnel
Procedural Product/Technical
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 500.06)
• Each Covered Entity shall securely maintain systems that, to the
extent applicable and based on its risk assessment:
– are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations, for not fewer than five years
– include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations, for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Annex A: 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq., dev. &
mtnce.
16 Infosec incident management 17 Infosec aspects of BC mgmt.
18 Compliance
11 Physical and environmental sec.
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Best-practice cyber risk management
ISO 27001 and vsRisk
• Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments, so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way.
• ISO 27001– Internationally recognized standard– Best-practice solution– Substantial ecosystem of implementers– Coordinates multiple legal and contractual compliance requirements– Built around business-focused risk assessment– Balances confidentiality, integrity, availability– Achieve certification in a timely and cost-effective manner
• vsRisk™ software – Gives you a clear picture of your risks and threats– Providing a framework to start your cybersecurity program– Save time, effort, and expense
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
ISO 27000 family of standards
0
to
3
4
to
10
Annex A: A.5
to
Annex A: A.18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security…
• Control objectives
• Controls
Introduction
Application
Terms and definitions
Security…
• Control objectives
• Controls
Introduction
Scope and norm ref.
Terms and definitions
Structure and risk ass.
Bibliography
Control
Implementation
guidance
Other info
ISO 27001:2013
ISO 27000:2016
ISO 27002:2013
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Risk assessment software
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
vsRisk™ (v3.0)
NIST, PCI DSS
Watch our video >>
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Valuable resources
• Next free webinar in this series– NYDFS – a guide to risk assessment
• Free green papersNYDFS Cybersecurity Requirements:
º Part 1 – The Regulation and the ISO 27001 standard
º Part 2 – Mapped alignment with ISO 27001
• More information on ISO 27001 and the Regulationº www.itgovernanceusa.com/iso27001-nydfs-cybersecurity
• Risk assessment and ISO 27001º www.itgovernanceusa.com/iso27001-risk-assessment
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Books, standards, training, and tools
• New York DFS Cybersecurity & ISO 27001Certified ISMS online training– New York DFS Cybersecurity & ISO 27001 Certified ISMS Foundation
– New York DFS Cybersecurity & ISO 27001 Certified ISMS Lead Implementer
• ISO 27001 Cybersecurity Documentation Toolkit– www.itgovernanceusa.com/shop/product/iso-27001-
cybersecurity-documentation-toolkitReceive 20% off this toolkit when you book a place on any New York DFS Cybersecurity & ISO 27001 Live Online course.
• vsRisk™ – risk assessment software– www.itgovernanceusa.com/shop/Product/vsrisk-standalone-basic
• ISO 27001 standards– ISO/IEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
IT Governance Ltd: One-stop shop
All verticals, all sectors, all organizational sizes
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Join in the conversation
• Subscribe to our IT Governance LinkedIn group:
NYDFS Cybersecurity Requirementswww.linkedin.com/groups/8598504
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Questions and answers