This webinar illustrates:
- The responsibility to appoint a CISO
- Application security program (internal and external) and review by the CISO
- Overview of the risk assessment policy and procedures
- Setting up a program specific to your organization's information systems and business operations
- Identifying cyber threats and how to incorporate controls
- Maintaining an audit trail to include detection and responses to cybersecurity events
- How ISO 27001 and vsRisk can provide the right tools to help you implement a successful program that meets compliance requirements
A recording of the webinar can be found here:
https://www.youtube.com/watch?v=URfAd2E37Eo
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
NY State's cybersecurity legislation requirements for risk management, security of applications, and the appointed CISO
1. NY State’s cybersecurity legislation
requirements for risk management, security of
applications, and the appointed CISO
March 23, 2017
Alan Calder
IT Governance Ltd
www.itgovernanceusa.com
PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING
2. Introduction
• Alan Calder
• Founder of IT Governance Ltd
• Author of IT Governance: An International Guide to
Data Security and ISO 27001/27002
• Led the world’s first successful implementation
of ISO 27001 (then BS 7799)
3. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Leading global provider
• The single source for everything to do with cybersecurity, cyber risk
management, and IT governance
• Our team of dedicated and knowledgeable trainers and consultants
have helped over 400 organizations worldwide achieve ISO 27001
certification
• Our mission is to engage with business executives, senior
managers, and IT professionals, and to help them:
Protect Comply Thrive
and secure their
intellectual capital
with relevant
regulations
as they achieve
strategic goals through
better IT management
4. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Agenda
• The responsibility to appoint a CISO
• Application security program (internal and external) and review
by the CISO
• Overview of the risk assessment policy and procedures
• Setting up a program specific to your organization’s information
systems and business operations
• Identifying cyber threats and how to incorporate controls
• Maintaining an audit trail to include detection and responses to
cybersecurity events
• How ISO 27001 and vsRisk can provide the right tools to help
you implement a successful program that meets compliance
requirements
4
5. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
1 year compliance deadlines
180 days 1 year 18 months 2 years
Section 500.02
Cybersecurity Program
Section 500.04 (b)
Chief Information Security
Officer (CISO)
Section 500.06
Audit Trail
Section 500.11
Third Party Service Provider
Security Policy
Section 500.03
Cybersecurity Policy
Section 500.05 Penetration
Testing and Vulnerability
Assessments
Section 500.08 Application
Security
Section 500.07
Access Privileges
Section 500.09
Risk Assessment
Section 500.13 Limitations
on Data Retention
Section 500.10
Cybersecurity Personnel
and Intelligence
Section 500.12 Multi-Factor
Authentication
Section 500.14 (a)
Training and Monitoring
Section 500.16
Incident Response Plan
Section 500.14 (b)
Training and Monitoring
Section 500.15 Encryption
of Nonpublic Information
• This presentation covers the following compliance deadlines
6. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Appointing a chief information security
officer (CISO) (Section 500.04 (a) 180-day requirement)
• What to look for in a candidate
– A trustworthy advisor
– Understands the business processes and the organization as a whole
• Covered entities may choose to:
– Designate an internal staff member as CISO
º Benefits: will have an advantage in understanding of how the business operates to better assess and
guide what is needed to protect the organization
– Outsource the role to an affiliate or third party
º With this option comes the additional measure of appointing a senior-level staff member to oversee
the third party
º May not have a clear picture of the business operations
7. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Role of the CISO (Section 500.04 (b) one-year requirement)
• Provide an annual report to the board of directors on the
cybersecurity program and associated risks
• The following must be taken into consideration by the CISO:
– Cybersecurity policies and procedures
– All material cybersecurity risks
– Nonpublic information confidentiality, the reliability and security of
information systems
– Effectiveness of the cybersecurity program
– Document of cybersecurity events that occurred during the year covered
in the report
8. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Application security (Section 500.09)
• Within the cybersecurity program, in-house-developed applications
shall include:
– written procedures, guidelines, and standards designed to ensure the use of
secure development practices
– procedures for evaluating, assessing, or testing the security of externally
developed applications utilized by the Covered Entity within the context of the
technology environment
• All such procedures, guidelines, and standards shall be periodically
reviewed, assessed, and updated as necessary by the CISO (or a
qualified designee)
9. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Overview of the risk assessment policy
and procedures (Section 500.09)
• Risk assessments of information systems should be done periodically to
inform the design of the cybersecurity program
• The risk assessment must:
– be updated if there are any changes to information systems, nonpublic information, or
business operations
– allow for revision of controls to respond to threat or any technological developments
– consider risks of operations that relate to cybersecurity, information systems, collected or
stored nonpublic information, and the effectiveness of controls to protect nonpublic
information and information systems
– be documented and implemented in accordance with written policies and procedures
• Policies and procedures are to include:
– measures for the evaluation and classification of identified cybersecurity threats or risks
– conditions set for the assessment of the security, confidentiality and integrity, and availability
information systems and nonpublic information, including the suitability of current controls
relating to identified risks
– a plan to determine how identified risks based on the risk assessment will be mitigated or
accepted, and how the cybersecurity program will address the risks
10. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Setting up a program specific to your
organization’s information systems and
business operations
• An effective program must place cybersecurity in the context of the
business, and should be guided by two related considerations:
– How does cybersecurity enable the business?
– How does cyber risk affect the business?
• From this perspective, cybersecurity focuses on competitive advantage
and positions itself as a business enabler. If done right, cybersecurity
helps drive a consistent, high-quality customer experience.
• The company’s technology infrastructure should be on the forefront, but
a cybersecurity strategy should go further and also cover:
– Supply chain/third party suppliers
– Product/service development
– Customer experience
– External influencers
11. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Elements of a strong cybersecurity
strategy
• Set a vision: Describe how cybersecurity protects and enables value in your
company.
• Sharpen your priorities: Your resources are finite, so focus on critical business
assets.
• Build the right team: Ensure your security program has an appropriate mix of skill
sets, including organizational change management, crisis management, third-party
risk management, and strategic communications.
• Enhance your controls: To reflect the widening scope of your cybersecurity strategy,
you’ll need to adopt new methods for treating risk.
• Monitor the threat: Cybersecurity requires an adaptive outlook. Maintain awareness
of the threat landscape.
• Plan for contingencies: No one can be 100% secure, so a strong incident response
capability is essential in case something undesirable happens. Incident response is
not just a technology issue.
• Transform the culture: People are the core of the business, so cybersecurity is
everyone’s responsibility. Encourage their buy-in by making cybersecurity relevant to
each business area.
12. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
New York breaches rose 60% in 2016
New York State Attorney General Eric T. Schneiderman released a
summary of the year 2016 to reveal:
• 1,300 data breaches reported
• 60% increase from 2015
• 1.6 million New Yorkers’ personal records exposed
14. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
The threat landscape
Non-target
specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial
info
Malware
Web attacks
Denial of service
Social
engineering
Exploit kits
Ransomware
Etc.
Threat types
Identifying cyber threats
15. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Resources for threat alerts
• Multi-State Information Sharing and Analysis Center (MS-ISAC)
– Provides alerts to current attacks and threats
– Partners with the Department of Homeland Security
– Free membership
– https://msisac.cisecurity.org/
• Financial Services Information Sharing and Analysis Center FS-
ISAC)
– A global financial industry's resource for cyber and threat intelligence analysis
and sharing
– Requires a membership fee
– https://www.fsisac.com/
16. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Incorporating controls
• Cybersecurity compliance must
support compliance with
appropriate rules and regulations,
as well as organizational policies
and procedures, by:
– identifying risks
– preventing risks though the design
and implementation of controls
– monitoring and reporting on the
effectiveness of those controls
– resolving compliance difficulties as
they occur
– advising and training
Physical Personnel
Procedural Product/Technical
17. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Annex A: 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq., dev. &
mtnce.
16 Infosec incident management 17 Infosec aspects of BC mgmt.
18 Compliance
11 Physical and environmental sec.
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
18. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 500.06)
• Each Covered Entity shall securely maintain systems that, to the
extent applicable and based on its risk assessment:
– are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations; for not fewer than five years
– include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations; for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
19. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Best-practice cyber risk management
ISO 27001 and vsRisk
• Encompassing people, processes, and technology, ISO 27001’s
enterprise-wide approach to cybersecurity is tailored to the outcomes of
regular risk assessments so that organizations can mitigate the cyber
risks they actually face in the most cost-effective and efficient way.
• ISO 27001
– Internationally recognized standard
– Best-practice solution
– Substantial ecosystem of implementers
– Coordinates multiple legal and contractual compliance requirements
– Built around business-focused risk assessment
– Balances confidentiality, integrity, availability
– Achieve certification in a timely and cost-effective manner
• vsRisk™ software
– Gives you a clear picture of your risks and threats
– Providing a framework to start your cybersecurity program
– Save time, effort, and expense
20. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
ISO 27000x family of standards
0
to
3
4
to
10
Annex A: A.5
to
Annex A: A.18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security …
• Control objectives
• Controls
Introduction
Application
Terms and definitions
Security …
• Control objectives
• Controls
Introduction
Scope and norm ref.
Terms and definitions
Structure and risk ass.
Bibliography
Control
Implementation
guidance
Other info
ISO 27001:2013
ISO 27000:2016
ISO 27002:2013
23. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Valuable resources
• Free green papers:
NYDFS Cybersecurity Requirements:
º Part 1 – The Regulation and the ISO 27001 standard
º Part 2 – Mapped alignment with ISO 27001
• More information on ISO 27001 and the Regulation
º https://www.itgovernanceusa.com/iso27001-nydfs-cybersecurity
• Risk assessment and ISO 27001
º https://www.itgovernanceusa.com/risk_assessments
25. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Books, standards, training, and tools
• New York DFS Cybersecurity & ISO 27001
Certified ISMS online training
– New York DFS Cybersecurity & ISO 27001 Certified ISMS Foundation
– New York DFS Cybersecurity & ISO 27001 Certified ISMS Lead Implementer
• ISO 27001 Cybersecurity Documentation Toolkit
– https://www.itgovernanceusa.com/shop/product/iso-27001-
cybersecurity-documentation-toolkit
• vsRisk™ – risk assessment software
– https://www.itgovernanceusa.com/shop/Product/vsrisk-standalone-basic
• ISO 27001 standards
– ISO/IEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
26. TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Join in the conversation
• Subscribe to our IT Governance LinkedIn group:
NYDFS Cybersecurity Requirements
https://www.linkedin.com/groups/8598504