SlideShare une entreprise Scribd logo

NY State's cybersecurity legislation requirements for risk management, security of applications, and the appointed CISO

IT Governance Ltd
IT Governance Ltd

This webinar illustrates: - The responsibility to appoint a CISO - Application security program (internal and external) and review by the CISO - Overview of the risk assessment policy and procedures - Setting up a program specific to your organization's information systems and business operations - Identifying cyber threats and how to incorporate controls - Maintaining an audit trail to include detection and responses to cybersecurity events - How ISO 27001 and vsRisk can provide the right tools to help you implement a successful program that meets compliance requirements A recording of the webinar can be found here: https://www.youtube.com/watch?v=URfAd2E37Eo

Business
1  sur  27
Télécharger pour lire hors ligne
NY State’s cybersecurity legislation requirements for risk management, security of applications, and the appointed CISO March 23, 2017 Alan Calder IT Governance Ltd www.itgovernanceusa.com PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING
Introduction • Alan Calder • Founder of IT Governance Ltd • Author of IT Governance: An International Guide to Data Security and ISO 27001/27002 • Led the world’s first successful implementation of ISO 27001 (then BS 7799)
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Leading global provider • The single source for everything to do with cybersecurity, cyber risk management, and IT governance • Our team of dedicated and knowledgeable trainers and consultants have helped over 400 organizations worldwide achieve ISO 27001 certification • Our mission is to engage with business executives, senior managers, and IT professionals, and to help them: Protect Comply Thrive and secure their intellectual capital with relevant regulations as they achieve strategic goals through better IT management
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Agenda • The responsibility to appoint a CISO • Application security program (internal and external) and review by the CISO • Overview of the risk assessment policy and procedures • Setting up a program specific to your organization’s information systems and business operations • Identifying cyber threats and how to incorporate controls • Maintaining an audit trail to include detection and responses to cybersecurity events • How ISO 27001 and vsRisk can provide the right tools to help you implement a successful program that meets compliance requirements 4
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 1 year compliance deadlines 180 days 1 year 18 months 2 years Section 500.02 Cybersecurity Program Section 500.04 (b) Chief Information Security Officer (CISO) Section 500.06 Audit Trail Section 500.11 Third Party Service Provider Security Policy Section 500.03 Cybersecurity Policy Section 500.05 Penetration Testing and Vulnerability Assessments Section 500.08 Application Security Section 500.07 Access Privileges Section 500.09 Risk Assessment Section 500.13 Limitations on Data Retention Section 500.10 Cybersecurity Personnel and Intelligence Section 500.12 Multi-Factor Authentication Section 500.14 (a) Training and Monitoring Section 500.16 Incident Response Plan Section 500.14 (b) Training and Monitoring Section 500.15 Encryption of Nonpublic Information • This presentation covers the following compliance deadlines
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Appointing a chief information security officer (CISO) (Section 500.04 (a) 180-day requirement) • What to look for in a candidate – A trustworthy advisor – Understands the business processes and the organization as a whole • Covered entities may choose to: – Designate an internal staff member as CISO º Benefits: will have an advantage in understanding of how the business operates to better assess and guide what is needed to protect the organization – Outsource the role to an affiliate or third party º With this option comes the additional measure of appointing a senior-level staff member to oversee the third party º May not have a clear picture of the business operations
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Role of the CISO (Section 500.04 (b) one-year requirement) • Provide an annual report to the board of directors on the cybersecurity program and associated risks • The following must be taken into consideration by the CISO: – Cybersecurity policies and procedures – All material cybersecurity risks – Nonpublic information confidentiality, the reliability and security of information systems – Effectiveness of the cybersecurity program – Document of cybersecurity events that occurred during the year covered in the report
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Application security (Section 500.09) • Within the cybersecurity program, in-house-developed applications shall include: – written procedures, guidelines, and standards designed to ensure the use of secure development practices – procedures for evaluating, assessing, or testing the security of externally developed applications utilized by the Covered Entity within the context of the technology environment • All such procedures, guidelines, and standards shall be periodically reviewed, assessed, and updated as necessary by the CISO (or a qualified designee)
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Overview of the risk assessment policy and procedures (Section 500.09) • Risk assessments of information systems should be done periodically to inform the design of the cybersecurity program • The risk assessment must: – be updated if there are any changes to information systems, nonpublic information, or business operations – allow for revision of controls to respond to threat or any technological developments – consider risks of operations that relate to cybersecurity, information systems, collected or stored nonpublic information, and the effectiveness of controls to protect nonpublic information and information systems – be documented and implemented in accordance with written policies and procedures • Policies and procedures are to include: – measures for the evaluation and classification of identified cybersecurity threats or risks – conditions set for the assessment of the security, confidentiality and integrity, and availability information systems and nonpublic information, including the suitability of current controls relating to identified risks – a plan to determine how identified risks based on the risk assessment will be mitigated or accepted, and how the cybersecurity program will address the risks
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Setting up a program specific to your organization’s information systems and business operations • An effective program must place cybersecurity in the context of the business, and should be guided by two related considerations: – How does cybersecurity enable the business? – How does cyber risk affect the business? • From this perspective, cybersecurity focuses on competitive advantage and positions itself as a business enabler. If done right, cybersecurity helps drive a consistent, high-quality customer experience. • The company’s technology infrastructure should be on the forefront, but a cybersecurity strategy should go further and also cover: – Supply chain/third party suppliers – Product/service development – Customer experience – External influencers
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Elements of a strong cybersecurity strategy • Set a vision: Describe how cybersecurity protects and enables value in your company. • Sharpen your priorities: Your resources are finite, so focus on critical business assets. • Build the right team: Ensure your security program has an appropriate mix of skill sets, including organizational change management, crisis management, third-party risk management, and strategic communications. • Enhance your controls: To reflect the widening scope of your cybersecurity strategy, you’ll need to adopt new methods for treating risk. • Monitor the threat: Cybersecurity requires an adaptive outlook. Maintain awareness of the threat landscape. • Plan for contingencies: No one can be 100% secure, so a strong incident response capability is essential in case something undesirable happens. Incident response is not just a technology issue. • Transform the culture: People are the core of the business, so cybersecurity is everyone’s responsibility. Encourage their buy-in by making cybersecurity relevant to each business area.
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 New York breaches rose 60% in 2016 New York State Attorney General Eric T. Schneiderman released a summary of the year 2016 to reveal: • 1,300 data breaches reported • 60% increase from 2015 • 1.6 million New Yorkers’ personal records exposed
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 2016 NY breaches caused by:
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 The threat landscape Non-target specific Employees Terrorists Hacktivists Organized crime Natural disasters Nation states Competitors People Processes Technology Threat actors Attack vectors Threat targets IP Card data PII Money Reputation Commercial info Malware Web attacks Denial of service Social engineering Exploit kits Ransomware Etc. Threat types Identifying cyber threats
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Resources for threat alerts • Multi-State Information Sharing and Analysis Center (MS-ISAC) – Provides alerts to current attacks and threats – Partners with the Department of Homeland Security – Free membership – https://msisac.cisecurity.org/ • Financial Services Information Sharing and Analysis Center FS- ISAC) – A global financial industry's resource for cyber and threat intelligence analysis and sharing – Requires a membership fee – https://www.fsisac.com/
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Incorporating controls • Cybersecurity compliance must support compliance with appropriate rules and regulations, as well as organizational policies and procedures, by: – identifying risks – preventing risks though the design and implementation of controls – monitoring and reporting on the effectiveness of those controls – resolving compliance difficulties as they occur – advising and training Physical Personnel Procedural Product/Technical
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Annex A: 14 control categories 5 Infosec policies 6 Organization of infosec 7 Human resources security 8 Asset management 9 Access control 12 Operations security 14 System acq., dev. & mtnce. 16 Infosec incident management 17 Infosec aspects of BC mgmt. 18 Compliance 11 Physical and environmental sec. 15 Supplier relationships 10 Cryptography 13 Comms security 114 CONTROLS
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Maintaining an audit trail to include responses to and detection of cybersecurity events (Section 500.06) • Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its risk assessment: – are designed to reconstruct material financial transactions sufficient to support normal operations and obligations; for not fewer than five years – include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations; for not fewer than three years Maintain 5 years Maintain 3 years Material financial transactions Audit trails of cybersecurity events
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Best-practice cyber risk management ISO 27001 and vsRisk • Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way. • ISO 27001 – Internationally recognized standard – Best-practice solution – Substantial ecosystem of implementers – Coordinates multiple legal and contractual compliance requirements – Built around business-focused risk assessment – Balances confidentiality, integrity, availability – Achieve certification in a timely and cost-effective manner • vsRisk™ software – Gives you a clear picture of your risks and threats – Providing a framework to start your cybersecurity program – Save time, effort, and expense
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 ISO 27000x family of standards 0 to 3 4 to 10 Annex A: A.5 to Annex A: A.18 Annex B 1 to 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Security … • Control objectives • Controls Introduction Application Terms and definitions Security … • Control objectives • Controls Introduction Scope and norm ref. Terms and definitions Structure and risk ass. Bibliography Control Implementation guidance Other info ISO 27001:2013 ISO 27000:2016 ISO 27002:2013
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Risk assessment software
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 vsRisk™ (v2.x) NIST, PCI DSS
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Valuable resources • Free green papers: NYDFS Cybersecurity Requirements: º Part 1 – The Regulation and the ISO 27001 standard º Part 2 – Mapped alignment with ISO 27001 • More information on ISO 27001 and the Regulation º https://www.itgovernanceusa.com/iso27001-nydfs-cybersecurity • Risk assessment and ISO 27001 º https://www.itgovernanceusa.com/risk_assessments
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 IT Governance Ltd: One-stop shop All verticals, all sectors, all organizational sizes
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Books, standards, training, and tools • New York DFS Cybersecurity & ISO 27001 Certified ISMS online training – New York DFS Cybersecurity & ISO 27001 Certified ISMS Foundation – New York DFS Cybersecurity & ISO 27001 Certified ISMS Lead Implementer • ISO 27001 Cybersecurity Documentation Toolkit – https://www.itgovernanceusa.com/shop/product/iso-27001- cybersecurity-documentation-toolkit • vsRisk™ – risk assessment software – https://www.itgovernanceusa.com/shop/Product/vsrisk-standalone-basic • ISO 27001 standards – ISO/IEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Join in the conversation • Subscribe to our IT Governance LinkedIn group: NYDFS Cybersecurity Requirements https://www.linkedin.com/groups/8598504
TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Questions and answers

Recommandé

GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud Providers
IT Governance Ltd
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
IT Governance Ltd
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
IT Governance Ltd
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPR
IT Governance Ltd
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
IT Governance Ltd
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
IT Governance Ltd
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
IT Governance Ltd
 
GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practice
ZoneFox
 

Recommandé

GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud Providers
IT Governance Ltd
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
IT Governance Ltd
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
IT Governance Ltd
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPR
IT Governance Ltd
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
IT Governance Ltd
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
IT Governance Ltd
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
IT Governance Ltd
 
GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practice
ZoneFox
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?
IT Governance Ltd
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR
IT Governance Ltd
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance 
IT Governance Ltd
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
IT Governance Ltd
 
Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
IT Governance Ltd
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for compliance
IT Governance Ltd
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
IT Governance Ltd
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
IT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
IT Governance Ltd
 
11 European Privacy Regulations That Could Cost You €1 Million in Fines
11 European Privacy Regulations That Could Cost You €1 Million in Fines 11 European Privacy Regulations That Could Cost You €1 Million in Fines
11 European Privacy Regulations That Could Cost You €1 Million in Fines
Skyhigh Networks
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
IT Governance Ltd
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
isc2-hellenic
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
IT Governance Ltd
 
1211000-792-2-Promontory - Data Mapping Slides 06-06-16
1211000-792-2-Promontory - Data Mapping Slides 06-06-161211000-792-2-Promontory - Data Mapping Slides 06-06-16
1211000-792-2-Promontory - Data Mapping Slides 06-06-16
jbauerofprivacy
 
20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here
Richard Hogg,Global GDPR Offerings Evangelist
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can Help
Jason Lackey
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
isc2-hellenic
 
Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016
Mark Honeyball
 
GDPR in a nutshell
GDPR in a nutshellGDPR in a nutshell
GDPR in a nutshell
Initio
 
CV of Mohan M
CV of Mohan MCV of Mohan M
CV of Mohan M
Mohan M
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
William McBorrough
 

Contenu connexe

Tendances

1211000-792-2-Promontory - Data Mapping Slides 06-06-16
1211000-792-2-Promontory - Data Mapping Slides 06-06-161211000-792-2-Promontory - Data Mapping Slides 06-06-16
1211000-792-2-Promontory - Data Mapping Slides 06-06-16
jbauerofprivacy
 
Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016
Mark Honeyball
 

Tendances (20)

Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance 
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
 
Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for compliance
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
11 European Privacy Regulations That Could Cost You €1 Million in Fines
11 European Privacy Regulations That Could Cost You €1 Million in Fines 11 European Privacy Regulations That Could Cost You €1 Million in Fines
11 European Privacy Regulations That Could Cost You €1 Million in Fines
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
1211000-792-2-Promontory - Data Mapping Slides 06-06-16
1211000-792-2-Promontory - Data Mapping Slides 06-06-161211000-792-2-Promontory - Data Mapping Slides 06-06-16
1211000-792-2-Promontory - Data Mapping Slides 06-06-16
 
20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can Help
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
 
Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016
 
GDPR in a nutshell
GDPR in a nutshellGDPR in a nutshell
GDPR in a nutshell
 

Similaire à NY State's cybersecurity legislation requirements for risk management, security of applications, and the appointed CISO

CV of Mohan M
CV of Mohan MCV of Mohan M
CV of Mohan M
Mohan M
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSAL
CYBER SENSE
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
Taiye Lambo
 

Similaire à NY State's cybersecurity legislation requirements for risk management, security of applications, and the appointed CISO (20)

CV of Mohan M
CV of Mohan MCV of Mohan M
CV of Mohan M
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
Strategic Insights on IT & Cyber Risk Assessments.pdf
Strategic Insights on IT & Cyber Risk Assessments.pdfStrategic Insights on IT & Cyber Risk Assessments.pdf
Strategic Insights on IT & Cyber Risk Assessments.pdf
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to know
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
 
webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy webapplication-security-assessment-casestudy
webapplication-security-assessment-casestudy
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSAL
 
IASA ey deck presentation
IASA ey deck presentationIASA ey deck presentation
IASA ey deck presentation
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
 

Plus de IT Governance Ltd

GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
IT Governance Ltd
 

Plus de IT Governance Ltd (11)

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security culture
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on board
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programme
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber security
 
Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0
 

Dernier

Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
amitlee9823
 
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Sheetaleventcompany
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
daisycvs
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
daisycvs
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
amitlee9823
 
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLWhitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
kapoorjyoti4444
 
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceMalegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
dollysharma2066
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
uneakwhite
 
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
amitlee9823
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
dlhescort
 
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
kapoorjyoti4444
 

Dernier (20)

Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in indiaFalcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
 
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLWhitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business Potential
 
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceMalegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Nelamangala Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
 
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 

NY State's cybersecurity legislation requirements for risk management, security of applications, and the appointed CISO

  • 1. NY State’s cybersecurity legislation requirements for risk management, security of applications, and the appointed CISO March 23, 2017 Alan Calder IT Governance Ltd www.itgovernanceusa.com PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING
  • 2. Introduction • Alan Calder • Founder of IT Governance Ltd • Author of IT Governance: An International Guide to Data Security and ISO 27001/27002 • Led the world’s first successful implementation of ISO 27001 (then BS 7799)
  • 3. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Leading global provider • The single source for everything to do with cybersecurity, cyber risk management, and IT governance • Our team of dedicated and knowledgeable trainers and consultants have helped over 400 organizations worldwide achieve ISO 27001 certification • Our mission is to engage with business executives, senior managers, and IT professionals, and to help them: Protect Comply Thrive and secure their intellectual capital with relevant regulations as they achieve strategic goals through better IT management
  • 4. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Agenda • The responsibility to appoint a CISO • Application security program (internal and external) and review by the CISO • Overview of the risk assessment policy and procedures • Setting up a program specific to your organization’s information systems and business operations • Identifying cyber threats and how to incorporate controls • Maintaining an audit trail to include detection and responses to cybersecurity events • How ISO 27001 and vsRisk can provide the right tools to help you implement a successful program that meets compliance requirements 4
  • 5. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 1 year compliance deadlines 180 days 1 year 18 months 2 years Section 500.02 Cybersecurity Program Section 500.04 (b) Chief Information Security Officer (CISO) Section 500.06 Audit Trail Section 500.11 Third Party Service Provider Security Policy Section 500.03 Cybersecurity Policy Section 500.05 Penetration Testing and Vulnerability Assessments Section 500.08 Application Security Section 500.07 Access Privileges Section 500.09 Risk Assessment Section 500.13 Limitations on Data Retention Section 500.10 Cybersecurity Personnel and Intelligence Section 500.12 Multi-Factor Authentication Section 500.14 (a) Training and Monitoring Section 500.16 Incident Response Plan Section 500.14 (b) Training and Monitoring Section 500.15 Encryption of Nonpublic Information • This presentation covers the following compliance deadlines
  • 6. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Appointing a chief information security officer (CISO) (Section 500.04 (a) 180-day requirement) • What to look for in a candidate – A trustworthy advisor – Understands the business processes and the organization as a whole • Covered entities may choose to: – Designate an internal staff member as CISO º Benefits: will have an advantage in understanding of how the business operates to better assess and guide what is needed to protect the organization – Outsource the role to an affiliate or third party º With this option comes the additional measure of appointing a senior-level staff member to oversee the third party º May not have a clear picture of the business operations
  • 7. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Role of the CISO (Section 500.04 (b) one-year requirement) • Provide an annual report to the board of directors on the cybersecurity program and associated risks • The following must be taken into consideration by the CISO: – Cybersecurity policies and procedures – All material cybersecurity risks – Nonpublic information confidentiality, the reliability and security of information systems – Effectiveness of the cybersecurity program – Document of cybersecurity events that occurred during the year covered in the report
  • 8. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Application security (Section 500.09) • Within the cybersecurity program, in-house-developed applications shall include: – written procedures, guidelines, and standards designed to ensure the use of secure development practices – procedures for evaluating, assessing, or testing the security of externally developed applications utilized by the Covered Entity within the context of the technology environment • All such procedures, guidelines, and standards shall be periodically reviewed, assessed, and updated as necessary by the CISO (or a qualified designee)
  • 9. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Overview of the risk assessment policy and procedures (Section 500.09) • Risk assessments of information systems should be done periodically to inform the design of the cybersecurity program • The risk assessment must: – be updated if there are any changes to information systems, nonpublic information, or business operations – allow for revision of controls to respond to threat or any technological developments – consider risks of operations that relate to cybersecurity, information systems, collected or stored nonpublic information, and the effectiveness of controls to protect nonpublic information and information systems – be documented and implemented in accordance with written policies and procedures • Policies and procedures are to include: – measures for the evaluation and classification of identified cybersecurity threats or risks – conditions set for the assessment of the security, confidentiality and integrity, and availability information systems and nonpublic information, including the suitability of current controls relating to identified risks – a plan to determine how identified risks based on the risk assessment will be mitigated or accepted, and how the cybersecurity program will address the risks
  • 10. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Setting up a program specific to your organization’s information systems and business operations • An effective program must place cybersecurity in the context of the business, and should be guided by two related considerations: – How does cybersecurity enable the business? – How does cyber risk affect the business? • From this perspective, cybersecurity focuses on competitive advantage and positions itself as a business enabler. If done right, cybersecurity helps drive a consistent, high-quality customer experience. • The company’s technology infrastructure should be on the forefront, but a cybersecurity strategy should go further and also cover: – Supply chain/third party suppliers – Product/service development – Customer experience – External influencers
  • 11. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Elements of a strong cybersecurity strategy • Set a vision: Describe how cybersecurity protects and enables value in your company. • Sharpen your priorities: Your resources are finite, so focus on critical business assets. • Build the right team: Ensure your security program has an appropriate mix of skill sets, including organizational change management, crisis management, third-party risk management, and strategic communications. • Enhance your controls: To reflect the widening scope of your cybersecurity strategy, you’ll need to adopt new methods for treating risk. • Monitor the threat: Cybersecurity requires an adaptive outlook. Maintain awareness of the threat landscape. • Plan for contingencies: No one can be 100% secure, so a strong incident response capability is essential in case something undesirable happens. Incident response is not just a technology issue. • Transform the culture: People are the core of the business, so cybersecurity is everyone’s responsibility. Encourage their buy-in by making cybersecurity relevant to each business area.
  • 12. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 New York breaches rose 60% in 2016 New York State Attorney General Eric T. Schneiderman released a summary of the year 2016 to reveal: • 1,300 data breaches reported • 60% increase from 2015 • 1.6 million New Yorkers’ personal records exposed
  • 13. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 2016 NY breaches caused by:
  • 14. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 The threat landscape Non-target specific Employees Terrorists Hacktivists Organized crime Natural disasters Nation states Competitors People Processes Technology Threat actors Attack vectors Threat targets IP Card data PII Money Reputation Commercial info Malware Web attacks Denial of service Social engineering Exploit kits Ransomware Etc. Threat types Identifying cyber threats
  • 15. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Resources for threat alerts • Multi-State Information Sharing and Analysis Center (MS-ISAC) – Provides alerts to current attacks and threats – Partners with the Department of Homeland Security – Free membership – https://msisac.cisecurity.org/ • Financial Services Information Sharing and Analysis Center FS- ISAC) – A global financial industry's resource for cyber and threat intelligence analysis and sharing – Requires a membership fee – https://www.fsisac.com/
  • 16. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Incorporating controls • Cybersecurity compliance must support compliance with appropriate rules and regulations, as well as organizational policies and procedures, by: – identifying risks – preventing risks though the design and implementation of controls – monitoring and reporting on the effectiveness of those controls – resolving compliance difficulties as they occur – advising and training Physical Personnel Procedural Product/Technical
  • 17. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Annex A: 14 control categories 5 Infosec policies 6 Organization of infosec 7 Human resources security 8 Asset management 9 Access control 12 Operations security 14 System acq., dev. & mtnce. 16 Infosec incident management 17 Infosec aspects of BC mgmt. 18 Compliance 11 Physical and environmental sec. 15 Supplier relationships 10 Cryptography 13 Comms security 114 CONTROLS
  • 18. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Maintaining an audit trail to include responses to and detection of cybersecurity events (Section 500.06) • Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its risk assessment: – are designed to reconstruct material financial transactions sufficient to support normal operations and obligations; for not fewer than five years – include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations; for not fewer than three years Maintain 5 years Maintain 3 years Material financial transactions Audit trails of cybersecurity events
  • 19. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Best-practice cyber risk management ISO 27001 and vsRisk • Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way. • ISO 27001 – Internationally recognized standard – Best-practice solution – Substantial ecosystem of implementers – Coordinates multiple legal and contractual compliance requirements – Built around business-focused risk assessment – Balances confidentiality, integrity, availability – Achieve certification in a timely and cost-effective manner • vsRisk™ software – Gives you a clear picture of your risks and threats – Providing a framework to start your cybersecurity program – Save time, effort, and expense
  • 20. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 ISO 27000x family of standards 0 to 3 4 to 10 Annex A: A.5 to Annex A: A.18 Annex B 1 to 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Security … • Control objectives • Controls Introduction Application Terms and definitions Security … • Control objectives • Controls Introduction Scope and norm ref. Terms and definitions Structure and risk ass. Bibliography Control Implementation guidance Other info ISO 27001:2013 ISO 27000:2016 ISO 27002:2013
  • 21. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Risk assessment software
  • 22. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 vsRisk™ (v2.x) NIST, PCI DSS
  • 23. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Valuable resources • Free green papers: NYDFS Cybersecurity Requirements: º Part 1 – The Regulation and the ISO 27001 standard º Part 2 – Mapped alignment with ISO 27001 • More information on ISO 27001 and the Regulation º https://www.itgovernanceusa.com/iso27001-nydfs-cybersecurity • Risk assessment and ISO 27001 º https://www.itgovernanceusa.com/risk_assessments
  • 24. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 IT Governance Ltd: One-stop shop All verticals, all sectors, all organizational sizes
  • 25. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Books, standards, training, and tools • New York DFS Cybersecurity & ISO 27001 Certified ISMS online training – New York DFS Cybersecurity & ISO 27001 Certified ISMS Foundation – New York DFS Cybersecurity & ISO 27001 Certified ISMS Lead Implementer • ISO 27001 Cybersecurity Documentation Toolkit – https://www.itgovernanceusa.com/shop/product/iso-27001- cybersecurity-documentation-toolkit • vsRisk™ – risk assessment software – https://www.itgovernanceusa.com/shop/Product/vsrisk-standalone-basic • ISO 27001 standards – ISO/IEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
  • 26. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Join in the conversation • Subscribe to our IT Governance LinkedIn group: NYDFS Cybersecurity Requirements https://www.linkedin.com/groups/8598504
  • 27. TM www.itgoverrnanceusa.com Copyright IT Governance Ltd 2017 – v1.0 Questions and answers