ny state’s cybersecurity legislation · its chief information security officer...

NY State’s Cybersecurity Legislation

Requirements for Risk Management, Security of

Applications, and the Appointed CISO

June 28, 2017

Alan Calder

IT Governance Ltd

www.itgovernanceusa.com

PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING

Introduction

• Alan Calder

• Founder of IT Governance Ltd

• Author of IT Governance: An International Guide to Data Security and ISO 27001/27002

• Led the world’s first successful implementationof ISO 27001 (then BS 7799)

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Leading global provider

• The single source for everything to do with cybersecurity, cyber risk

management, and IT governance

• Our team of dedicated and knowledgeable trainers and consultants

have helped over 400 organizations worldwide achieve ISO 27001

certification

• Our mission is to engage with business executives, senior

managers, and IT professionals, and help them:

Protect Comply Thrive

and secure their intellectual capital

with relevant regulations

as they achieve strategic goals through better IT management

TM



Agenda

• Application security program (internal and external) and review

by the CISO

• Overview of the risk assessment policy and procedures

• Setting up a program specific to your organization’s information

systems and business operations

• Identifying cyber threats and how to incorporate controls

• Maintaining an audit trail to include detection and responses to

cybersecurity events

• How ISO 27001 and vsRisk™ can provide the right tools to help

you implement a successful program that meets compliance

requirements

4

TM



Timelines

180 days (Aug. 28, 2017) 1 year 18 months 2 years

Section 500.02 Cybersecurity Program

Section 500.04 (b) CISO’s Report

Section 500.06 Audit Trail

Section 500.11 Third Party Service Provider Security Policy

Section 500.03 Cybersecurity Policy

Section 500.05 Penetration Testing and Vulnerability Assessments

Section 500.08 Application Security

Section 500.04 (a) Chief Information Security Officer (CISO)

Section 500.09 Risk Assessment

Section 500.13 Limitations on Data Retention

Section 500.07 Access Privileges

Section 500.12 Multi-Factor Authentication

Section 500.14 (a)Training and Monitoring

Section 500.10 Cybersecurity Personnel and Intelligence

Section 500.14 (b)Training and Monitoring

Section 500.15 Encryption of Nonpublic Information

Section 500.16 Incident Response Plan

• This presentation covers the following compliance deadlines

TM



NYDFS cybersecurity FAQs

Q: Is a Covered Entity required to certify compliance with all the

requirements of 23 NYCRR 500 on February 15, 2018?

A: Covered Entities are required to submit the first certification under 23

NYCRR 500.17(b) by February 15, 2018. This initial certification applies to and

includes all requirements of 23 NYCRR Part 500 for which the applicable

transitional period under 23 NYCRR 500.22 has terminated prior to February

15, 2018.

Accordingly, Covered Entities will not be required to submit certification of

compliance with the requirements of 23 NYCRR 500.04(b), 500.05, 500.06,

500.08, 500.09, 500.12, 500.13, 500.14 and 500.15 until February 15, 2019,

and certification of compliance with 23 NYCRR 500.11 until February 15, 2020.

Source: http://www.dfs.ny.gov/about/cybersecurity_faqs.htm

TM



Appointing a chief information security

officer (CISO) (Section 500.04 (a) 180-day requirement due by

August 28, 2017)

• What to look for in a candidate

– A trustworthy advisor

– Understands the business processes and the organization as a whole

• Covered entities may choose to:

– Designate an internal staff member as CISOº Benefits: will have an advantage in their understanding of how the business operates, which will

enable them to better assess and guide what is needed to protect the organization

– Outsource the role to an affiliate or third partyº With this option comes the additional measure of appointing a senior-level staff member to oversee

the third party

º They may not have a clear picture of the business operations

TM




Q: To the extent a Covered Entity uses an employee of an Affiliate as

its Chief Information Security Officer ("CISO"), is the Covered Entity

required to satisfy the requirements of 23 NYCRR 500.04(a)(2)-(3)?

A: To the extent a Covered Entity utilizes an employee of an Affiliate to

serve as the Covered Entity's CISO for purposes of 23 NYCRR 500.04(a), the

Affiliate is not considered a Third Party Service Provider for purposes of 23

NYCRR 500.04(a)(2)-(3).

However, the Covered Entity retains full responsibility for compliance with the

requirements of 23 NYCRR Part 500 at all times, including ensuring that the

CISO responsible for the Covered Entity is performing the duties consistent

with this Part.


TM



Role of the CISO (Section 500.04 (b) one-year requirement)

• Provide an annual report to the board of directors on the

cybersecurity program and associated risks

• The following must be taken into consideration by the CISO:

– The confidentiality of nonpublic information and the integrity and

security of the Covered Entity’s information systems

– The Covered Entity’s cybersecurity policies and procedures

– Material cyber risks to the Covered Entity

– The overall effectiveness of the Covered Entity’s cybersecurity program

– Material cybersecurity events involving the Covered Entity during the

time period addressed by the report.

TM



Application security (Section 500.08)

• Within the cybersecurity program should include:

– Written procedures, guidelines and standards designed to ensure the use of

secure development practices for internally developed applications used by the

Covered Entity

– Procedures for evaluating, assessing or testing the security of externally

developed applications used by the covered entity within the context of its

technology environment

• All such procedures, guidelines, and standards shall be periodically

reviewed, assessed, and updated as necessary by the CISO (or a

qualified designee)

TM



Overview of the risk assessment policy and procedures (Section 500.09)

• Risk assessments of information systems should be carried out periodically

to inform the design of the cybersecurity program

• The risk assessment must:– be updated if there are any changes to information systems, nonpublic information, or

business operations

– allow for revision of controls to respond to threats or any technological developments

– consider risks of operations that relate to cybersecurity, information systems, collected or

stored nonpublic information, and the effectiveness of controls to protect nonpublic

information and information systems

– be documented and implemented in accordance with written policies and procedures

• Policies and procedures should include:– measures for the evaluation and classification of identified cybersecurity threats or risks

– conditions set for the assessment of the security, confidentiality and integrity, and availability

of information systems and nonpublic information, including the suitability of current controls

relating to identified risks

– a plan to determine how identified risks based on the risk assessment will be mitigated or

accepted, and how the cybersecurity program will address the risks

TM




Q: How must a Covered Entity address cybersecurity issues with

respect to its subsidiaries and other affiliates?

A: When a subsidiary or other affiliate of a Covered Entity presents risks to

the Covered Entity’s Information Systems or the Nonpublic Information stored

on those Information Systems, those risks must be evaluated and addressed

in the Covered Entity’s Risk Assessment, cybersecurity program and

cybersecurity policies (see 23 NYCRR Sections 500.09, 500.02 and 500.03,

respectively).

Other regulatory requirements may also apply, depending on the individual

facts and circumstances.


TM



Setting up a program specific to your

organization’s information systems and

business operations

• An effective program must place cybersecurity in the context of the business, and should be guided by two related considerations:– How does cybersecurity enable the business?

– How does cyber risk affect the business?

• From this perspective, cybersecurity focuses on competitive advantage and positions itself as a business enabler. If done right, cybersecurity helps drive a consistent, high-quality customer experience.

• The company’s technology infrastructure should be at the forefront, but a cybersecurity strategy should go further and also cover:– Supply chain/third-party suppliers

– Product/service development

– Customer experience

– External influencers

TM



Elements of a strong cybersecurity

strategy

• Set a vision: Describe how cybersecurity protects and enables value in your company.

• Sharpen your priorities: Your resources are finite, so focus on critical business assets.

• Build the right team: Ensure your security program has an appropriate mix of skill sets, including organizational change management, crisis management, third-party risk management, and strategic communications.

• Enhance your controls: To reflect the widening scope of your cybersecurity strategy, you’ll need to adopt new methods for treating risk.

• Monitor the threat: Cybersecurity requires an adaptive outlook. Maintain awareness of the threat landscape.

• Plan for contingencies: No one can be 100% secure, so a strong incident response capability is essential in case something undesirable happens. Incident response is not just a technology issue.

• Transform the culture: People are the core of the business, so cybersecurity is everyone’s responsibility. Encourage their buy-in by making cybersecurity relevant to each business area.

TM



New York breaches rose 60% in 2016

New York State Attorney General Eric T. Schneiderman released a

summary of the year 2016, which revealed:

• 1,300 reported data breaches

• 60% increase from 2015

• 1.6 million New Yorkers’ personal records exposed

https://ag.ny.gov/press-release/ag-schneiderman-announces-record-number-data-breach-notices-2016

TM



2016 NY breaches caused by:

TM



The threat landscape

Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology

Threat actors Attack vectors Threat

targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Other

Threat types

Identifying cyber threats

TM



Resources for threat alerts

• Multi-State Information Sharing and Analysis Center (MS-ISAC)

– Provides alerts to current attacks and threats

– Partners with the Department of Homeland Security

– Free membership

– https://msisac.cisecurity.org/

• Financial Services Information Sharing and Analysis Center

(FS-ISAC)

– A global financial industry's resource for cyber and threat intelligence analysis

and sharing

– Requires a membership fee

– https://www.fsisac.com/

https://msisac.cisecurity.org/

https://www.fsisac.com/

TM



Incorporating controls

• Cybersecurity compliance must

support compliance with

appropriate rules and regulations,

as well as organizational policies

and procedures, by:

– identifying risks

– preventing risks though the design

and implementation of controls

– monitoring and reporting on the

effectiveness of those controls

– resolving compliance difficulties as

they occur

– advising and training

Physical Personnel

Procedural Product/Technical

TM



Maintaining an audit trail to include

responses to and detection of

cybersecurity events (Section 500.06)

• Each Covered Entity shall securely maintain systems that, to the

extent applicable and based on its risk assessment:

– are designed to reconstruct material financial transactions sufficient to

support normal operations and obligations, for not fewer than five years

– include audit trails designed to detect and respond to cybersecurity

events that have a reasonable likelihood of materially harming any

material part of the normal operations, for not fewer than three years

Maintain 5 years Maintain 3 years

Material financial transactions Audit trails of cybersecurity events

TM



Annex A: 14 control categories

5 Infosec policies

6 Organization of infosec 7 Human resources security

8 Asset management 9 Access control

12 Operations security

14 System acq., dev. &

mtnce.

16 Infosec incident management 17 Infosec aspects of BC mgmt.

18 Compliance

11 Physical and environmental sec.

15 Supplier relationships

10 Cryptography

13 Comms security

114 CONTROLS

TM



Best-practice cyber risk management

ISO 27001 and vsRisk

• Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments, so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way.

• ISO 27001– Internationally recognized standard– Best-practice solution– Substantial ecosystem of implementers– Coordinates multiple legal and contractual compliance requirements– Built around business-focused risk assessment– Balances confidentiality, integrity, availability– Achieve certification in a timely and cost-effective manner

• vsRisk™ software – Gives you a clear picture of your risks and threats– Providing a framework to start your cybersecurity program– Save time, effort, and expense

TM



ISO 27000 family of standards

0

to

3

4

to

10

Annex A: A.5

to

Annex A: A.18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security…

• Control objectives

• Controls

Introduction

Application

Terms and definitions

Security…

• Control objectives

• Controls

Introduction

Scope and norm ref.

Terms and definitions

Structure and risk ass.

Bibliography

Control

Implementation

guidance

Other info

ISO 27001:2013

ISO 27000:2016

ISO 27002:2013

TM



Risk assessment software

TM



vsRisk™ (v3.0)

NIST, PCI DSS

Watch our video >>

https://www.youtube.com/watch?v=lmTVBs8SqNU

TM



Valuable resources

• Next free webinar in this series– NYDFS – a guide to risk assessment

• Free green papersNYDFS Cybersecurity Requirements:

º Part 1 – The Regulation and the ISO 27001 standard

º Part 2 – Mapped alignment with ISO 27001

• More information on ISO 27001 and the Regulationº www.itgovernanceusa.com/iso27001-nydfs-cybersecurity

• Risk assessment and ISO 27001º www.itgovernanceusa.com/iso27001-risk-assessment

https://attendee.gotowebinar.com/register/8633337096564712450?source=webinar

https://www.itgovernanceusa.com/download/NYDFS-Regulation-GP-2017-Part-1.pdf

https://www.itgovernanceusa.com/download/NYDFS-Regulation-GP-2017-Part-2.pdf

https://ss-usa.s3.amazonaws.com/c/308457990/media/58fdf13394199/NYDFS-Regulation-GP-2017-Part-1.pdf

https://ss-usa.s3.amazonaws.com/c/308457990/media/58c6b5b77ee22/NYDFS-Regulation-GP-2017-Part-2.pdf

http://www.itgovernanceusa.com/iso27001-nydfs-cybersecurity

https://www.itgovernanceusa.com/iso27001-risk-assessment

TM



Books, standards, training, and tools

• New York DFS Cybersecurity & ISO 27001Certified ISMS online training– New York DFS Cybersecurity & ISO 27001 Certified ISMS Foundation

– New York DFS Cybersecurity & ISO 27001 Certified ISMS Lead Implementer

• ISO 27001 Cybersecurity Documentation Toolkit– www.itgovernanceusa.com/shop/product/iso-27001-

cybersecurity-documentation-toolkitReceive 20% off this toolkit when you book a place on any New York DFS Cybersecurity & ISO 27001 Live Online course.

• vsRisk™ – risk assessment software– www.itgovernanceusa.com/shop/Product/vsrisk-standalone-basic

• ISO 27001 standards– ISO/IEC 27001 2013 (ISO 27001 Standard) ISMS Requirements

https://www.itgovernanceusa.com/shop/Product/new-york-dfs-cybersecurity-iso27001-certified-isms-foundation-online

https://www.itgovernanceusa.com/shop/product/new-york-dfs-cybersecurity-iso27001-certified-isms-lead-implementer-online

https://www.itgovernanceusa.com/shop/product/iso-27001-cybersecurity-documentation-toolkit

http://www.itgovernanceusa.com/shop/Product/vsrisk-standalone-basic

https://www.itgovernanceusa.com/shop/product/isoiec-27001-2013-iso-27001-standard-isms-requirements

TM



IT Governance Ltd: One-stop shop

All verticals, all sectors, all organizational sizes

TM



Join in the conversation

• Subscribe to our IT Governance LinkedIn group:

NYDFS Cybersecurity Requirementswww.linkedin.com/groups/8598504

https://www.linkedin.com/groups/8598504

TM



Questions and answers

ny state’s cybersecurity legislation · its chief information security officer...

Documents