Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Building Your New York State Financial Services Cyber Compliance Plan

Cybercast by ITPG Secure Compliance is proud to present Building Your New York State Financial Services Cyber Compliance Plan. The most critical first steps for mid-size banks, financial and insurance firms. The presenter is David Kim. ITPG Secure Compliance: Principal Consultant, Governance Risk and Compliance. If you want to watch a video, please go to https://www.brighttalk.com/webcast/14987/253177 For more information visit us in www.itpgsecure.com

  • Soyez le premier à commenter

Building Your New York State Financial Services Cyber Compliance Plan

  1. 1. Presented by: David Kim, CISSP, PCI QSA SVP Information Security | GRC ITPG Secure Compliance dk@itpgsecure.com https://itpgsecure.com Building Your NY State Financial Services Cyber Compliance Plan What, Why, How, & When to comply with the Dept. of Financial Services 23 NYCRR 500 – Cybersecurity Requirements
  2. 2. Agenda What AGENDA What  Cyber Security Plan Required for DFS-Regulated Companies  Fines & Penalties to be Levied for Non-Compliance Who  Covered Entities under the Banking Law, Insurance Law or Financial Services Law How  Conduct a NY State Cyber Security Gap Analysis  The NY DFS Reg Gap Analysis Tool  Develop Financial Cyber Security Gap Remediation Plan  Perform Cyber Security Gap Remediation  Document a Final Certificate of Compliance When  Effective Date : March 1, 2017  Certificate of Compliance : February 15, 2018  Transitional Dates: March 1, 2018, March 1, 2019
  3. 3. Financial services industry is a significant target of cyber security risks, threats, & vulnerabilities Given this risk, the NY State Dept. of Financial Services (DFS) has developed this minimum regulatory standard for cyber security Regulation focuses on:  Protection of customer information  Protection of information technology systems of regulated entities Regulation requires:  Organizations to assess their risk profiles  A security program that addresses these risks  Annual certification confirming compliance Section 500.00 - Introduction
  4. 4. Financial Services Sector Significant Target of Cyber Attacks  Protection of customer information  Protection of information technology systems of regulated entities  Organizations to assess their risk profiles  Design a program that addresses these risks  Annual certification confirming compliance Section 500.00 - Introduction NEW New York Cybersecurity Mandate
  5. 5. Key Dates for NY Cyber Regulations • March 1, 2017 - 23 NYCRR Part 500 becomes effective. • August 28, 2017 - 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified. • September 27, 2017 – Initial 30 day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date. • February 15, 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date. • March 1, 2018 - One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500. • September 3, 2018 - Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500. • March 1, 2019 - 2 year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.
  6. 6. Timeline for Compliance – Next Steps for Planning 500.10% Cybersecurity% Personnel%&% Intelligence 500.02% Cybersecurity% Program 500.03% Cybersecurity% Policy 500.04% Chief% Information% Security%Officer 500.07% Access% Privileges 500.16% Incident% Response% Plan 500.14b% Training%&% Monitoring% Implementation 500.17% Notices% to% Superintendent 500.04b%Chief% Information% Security%Officer% J Reporting 500.09% Risk%Assessment 500.05% Penetration% Testing%&% Vulnerability 500.12% MultiJFactor% Authentication 500.06 Audit% Trails 500.08% Application% Security 500.13% Limitations%of% Data%Retention 500.15 Encryption%of% Nonpublic% Information 500.14a% Training%&% Monitoring%– Monitoring% Implementation 500.11% Third%Party% Service%Provider% Security%Policy Transitional Period 3/1/17 8/28/17 3/1/18 9/1/18 6-Months 12-Months 18-Months 24-Months 2/ 15/18
  7. 7. Cybersecurity Program (Deadline: 3/1/2018)  Annual Risk Assessment (Due Date: 3/1/2018)  Cyber Policies & Procedures (Due Date: 9/1/2018)  Data Classification (Due Date: 9/1/2018)  Audit & Monitoring (Due Date: 9/1/2018)  Incident Response (Due Date: 3/1/2018)  Certificate of Compliance (Due Date: 3/1/2019) Section 500.02 – Cybersecurity Program From: D. Kim & M. Solomon “Fundamentals of Information Systems Security” 3rd Edition – Jones & Bartlett Learning (C) Cybersecurity program must address C-I-A Cybersecurity program must protect Non- public Information
  8. 8. Cyber Security Policy: Each covered entity is required to have a written policy and procedure definition approved by a senior officer or organization’s board across the following 14 domains or categories: Section 500.03 – Cybersecurity Policy (DueDate:9/1/2018) 0.00 0.50 1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00 Information Security Data Governance & Classification Asset Inventory & Device Management Access Controls & Identify Management Business Continuity & Disaster Recovery Systems Operations & Availability Concerns System & Network Security Systems & Network Monitoring Systems & Application Dev. & Quality Assurance Physical Security & Environment Controls Customer Data Privacy Vendor & 3rd Party Service Provider Management Risk Assessment Incident Response NY State Financial Services Cybersecurity Domains
  9. 9. Section 500.04 – Chief Information Security Officer CISO a. Responsible for overseeing and implementing the cybersecurity program, P&P’s, etc. (Due Date: 3/1/2018)  Responsible for compliance  Can designate a senior member responsible for managing vCISO or 3rd party provider  Require the 3rd party provider to maintain a cybersecurity program on behalf of the organization Reporting b. Responsible for providing the Covered Entity a report in writing to the Board or equivalent body (Due Date: 3/1/2019)  Confidentiality of non-public information & integrity and security of IT infrastructure  Covered Entities’ implementation of policies and procedures  Any identified material risks to the Covered Entity  Overall effectiveness of the Covered Entity’s cybersecurity program  Material cybersecurity events involving the Covered Entity during past year
  10. 10. Financial Sector (Due Date: 3/1/2018) Perform Annual Penetration Testing  White Hat Hacker Perform Bi-annual Vulnerability Assessments & Remediation  Security Tester Section500.05– PenetrationTesting& Vulnerability Assessments
  11. 11. Data Retention Section 500.06 – Audit Trail (DueDate:9/1/2018) RTCM/ SIEM 7 Domains of a Typical IT Infrastructure  Include audit trails designed to detect & respond to cyber events/incidents  Real-time continuous monitoring (RTCM)  Security information & event management (SIEM)  Data retention = 5-years
  12. 12.  Access Control & Identity Management policies and procedures  Perform periodic audit of access privileges (Windows Active Directory and/or Identify Access Management)  Enable audit trail, log, alert/real-time continuous monitoring (RTCM) and aggregate data into a security information event management (SIEM) platform Section 500.07 – Access Privileges (DueDate:3/1/2018)
  13. 13. Section 500.08 – Application Security (DueDate: 9/1/2018) Cybersecurity Program: If in-house software development and/or implementation of software applications is performed, the Covered Entity is required to support the following:  Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards to ensure use of secure development practices for in-house developed applications used by Covered Entity  Procedures to evaluate, assess or test security of externally developed applications utilized by Covered Entity within the context of the Covered Entity’s technology environment  All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee)
  14. 14. Risk Assessment Elements  Criteria for evaluation and categorization of risks, threats, and vulnerabilities  Criteria for assessment of Confidentiality, Integrity & Availability (C-I-A)  Gap remediation and risk mitigation requirements  Prioritization of what needs remediating first Section 500.09 – Risk Assessment (DueDate: 3/1/2018) From: D. Kim & M. Solomon “Fundamentals of Information Systems Security” 3rd Edition – Jones & Bartlett Learning (C)
  15. 15. Section 500.10 – Cybersecurity Personnel & Intelligence Cybersecurity Program: Each Covered Entity must address hiring or contracting 3rd party cybersecurity personnel as required (Due Date: 9/1/2018)  Utilize qualified cybersecurity personnel of the Covered Entity, an Affiliate or a Third Party Service Provider  Provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks  Verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures
  16. 16.  Identify and risk assess all 3rd party vendors  Ensure implementation of minimum cybersecurity practices  Perform 3rd party vendor assessments prior to contract signing or renewal  Conduct vendor periodic assessments (i.e., when you renew contract) Section 500.11 –3rd Party Service Provider Security Policy RTCM/ SIEM Managed Security Service Provider (MSSP) 3rd Party Vendor (Due Date: 3/1/2019)
  17. 17. Multi-Factor Authentication  Internal and external access to sensitive data must incorporate multi-factor authentication as required by the risk assessment  User ID, password, hard or soft token for 2-factor authentication  User ID, password for systems/applications that contain sensitive data as required by the risk assessment Section 500.12 – Multi-Factor Authentication (DueDate:3/1/2018) “1” “2” “3” Remote access user “1” “2”
  18. 18. Section 500.13 – Limitations on Data Retention (DueDate:9/1/2018) Cybersecurity Program: Each Covered Entity shall:  Include policies and procedures for the periodic secure disposal of any non-public information identified in 500.01(g)(2)-(3) that is no longer necessary for business operations or for other legitimate business purpose, except where such information is otherwise required to be retained by law  Or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained
  19. 19. Section500.14– AnnualSecurityAwarenessTraining(DueDate:3/1/2018) Cybersecurity Program: Each Covered Entity shall:  Implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access, use, or tampering with non-public Information by such Authorized Users  (Due Date: 9/1/2018)  Provide for regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.  (Due Date: 3/1/2018)
  20. 20. Encryption of Non-public Information  Sensitive data at rest must be encrypted if feasible and effective (Due Date: 9/1/2018)  Sensitive data in transit must be encrypted if through a public, open network Section 500.15 – Encryption of Non-public Information
  21. 21. Managed Security Service Provider (MSSP) Incident Response Plan, Audit & Monitoring, Team & Procedures (Due Date: 9/1/2018) Section 500.16 – Incident Response Plan RTCM/ SIEM  Internal processes for incident handling  Incident response plan goals  Defined incident response roles and responsibilities  Communication and information sharing  Requirements for remediation  Documentation of all incidents and activities  Evaluation and review of plan as needed
  22. 22. Section 500.17 – Notes to Superintendent (DueDate: 3/1/2019) Notice of Cybersecurity Event: Each Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a cybersecurity event as follows has occurred:  Cybersecurity events of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; and  Cybersecurity events that have a reasonable likelihood of harming any material part of the normal operation(s) of the Covered Entity. Annual Written Certification of Compliance Submittal: Annually each Covered Entity shall submit to the superintendent a written statement by February 15, certifying that the Covered Entity is in compliance with the requirements set forth in this part.
  23. 23. Critical Business Decisions: Next Steps for New York Financial Entities
  24. 24. Critical Business Decisions – Next Steps for NY Next Steps for Your Financial Services Organization?  Do you have an in-house CISO or need a 3rd party to assist?  Can you build your own Cybersecurity Program Plan in-house or need assistance?  Given the 6/12/18/24 month deadlines for the various regulations, where do you start? Conduct a NY State Financial Regulation “Gap Analysis” – How Fast? Cost? Ease of Remediation?  Critical Gap Remediation – immediate (Critical Gaps, Low Hanging Fruit, etc.)  Major Gap Remediation – ongoing (Spread Out Over Remediation Timeline) Identify CAPEX/OPEX Funding & Work-Effort for Gap Remediation Recommendations  (Can you do some of the work?) and align with NY State DFS’ timelines for compliance Plan Your Compliance Gap Remediation Timeline  Align your gap remediation efforts to the new transition timelines
  25. 25. Approach & Methodology for DFS Compliance Ph 1 - Identify CISO or vCISO Ph 2 - Perform Cybersecurity "Gap Analysis" Ph 3 - Develop Gap Remediation Plan Ph 4 - Perform Remediation Ph 5 - Certification on Compliance NY State DFS Cybersecurity Mandate
  26. 26. Howcan ITPGSecure help your Financial Services Organization? Phase 1 – Start with a Virtual Chief Information Security Officers (vCISO)  Subject Matter Experts  “On-demand/on-call” retainer type agreements Phase 2 – Perform a NY State DFS Cybersecurity “Gap Analysis” (Large/Medium/Small) Phase 3 – Develop Gap Remediation Plan & Budget According to NY State DFS Deadlines  Level of effort  Cost magnitudes estimate (CAPEX & OPEX)  6/12/18/24 month timeline to implement Phase 4 – Perform Gap Remediation to Meet DFS Deadlines & Achieve DFS Compliance Phase 5 – Document Written “Certificate on Compliance” Report and Submit to Superintendent  March 1, 2018 > Cybersecurity Plan (Gap Remediation, Budget, & Timeline)  February, 2019 > Certificate on Compliance
  27. 27. Timeline for Compliance – Next Steps for Planning 500.10% Cybersecurity% Personnel%&% Intelligence 500.02% Cybersecurity% Program 500.03% Cybersecurity% Policy 500.04% Chief% Information% Security%Officer 500.07% Access% Privileges 500.16% Incident% Response% Plan 500.14b% Training%&% Monitoring% Implementation 500.17% Notices% to% Superintendent 500.04b%Chief% Information% Security%Officer% J Reporting 500.09% Risk%Assessment 500.05% Penetration% Testing%&% Vulnerability 500.12% MultiJFactor% Authentication 500.06 Audit% Trails 500.08% Application% Security 500.13% Limitations%of% Data%Retention 500.15 Encryption%of% Nonpublic% Information 500.14a% Training%&% Monitoring%– Monitoring% Implementation 500.11% Third%Party% Service%Provider% Security%Policy Transitional Period 3/1/17 8/28/17 3/1/18 9/1/18 6-Months 12-Months 18-Months 24-Months 2/ 15/18
  28. 28. NY State DFS Gap Analysis Tool – Screenshots NYCRR SECTION # DATE COMPLIANCE REQUIRED 7-DOMAINS (ALIGNMENT) COMPLIANCE STATUS © Select Full if 100% Compliant © Select Partial if <100% Compliant © Select Gap if 0% Compliant © Select N/A if Not Applicable RISK ASSESSMENT ©Select N/A if Compliance Status is N/A or Full ©Select Critical, Major or Minor if Compliance Status is Partial or Gap NOTES (List applicable Policy and Procedure Documents providing objective evidence of compliance, Findings from interviews, questionnaires, audits, etc.) REMEDIATION RECOMMENDATIONS REMEDIATION LOE (Person-Hours) 500.02 LOE 0.00 500.02.a 8/28/17 *All Domains 500.02b 8/28/17 *All Domains 500.02.b.1 8/28/17 500.02.b.2 8/28/17 500.02.b.3 8/28/17 500.02.b.4 8/28/17 500.02.b.5 8/28/17 500.02.b.6 8/28/17 500.02.c 8/28/17 500.02.d 8/28/17 Identify & Assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Institution's Information Systems CONTROL REQUIREMENTS Maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of the Institution's Information Systems CYBERSECURITY PROGRAM The cybersecurity program is based on the Institution's Risk Assessment and is designed to perform the following core cybersecurity functions: A Covered Entity may meet the requirement(s) of this Part by adopting the relevant and applicable provisions of a cybersecurity program maintained by an Affiliate, provided such provisions satisfy the requirements of this Part, as applicable to the Covered Entity All documentation and information relevant to the Covered Entity's cybersecurity program shall be made available to the superintendent upon request. This Gap Analysis is based upon Part 500 of Title 23 of the Office of Compilation of Codes, Rules and Regulations of the State of New York, Adopted February 13, 2017 (published in the State Register on Dec 28, 2016 under I.D No. DFS-39-16-00008-RP) Use defensive infrastructure and the implementation of policies and procedures to protect the Institution's Information Systems, and the Nonpublic Information stored on those information systems, from unauthorized access, use or other malicious acts Detect Cybersecurity events Respond to identified or detected cybersecurity events to mitigate any negative effects Recover from cybersecurity events and restore normal operations and services Fulfill applicable regulatory reporting obligations
  29. 29. NY State DFS Gap Analysis Tool – Screenshots 500.02.d 8/28/17 500.03 8/28/17 500.03.a 8/28/17 500.03.b 8/28/17 500.03.c 8/28/17 500.03.d 8/28/17 500.03.e 8/28/17 500.03.f 8/28/17 500.03.g 8/28/17 500.03.h 8/28/17 500.03.i 8/28/17 500.03.j 8/28/17 500.03.k 8/28/17 500.03.l 8/28/17 500.03.m 8/28/17 500.03.n 8/28/17Incident Response Systems & Application Development and Quality Assurance Information Security Vendor & Third Party Service Provider Management All documentation and information relevant to the Covered Entity's cybersecurity program shall be made available to the superintendent upon request. Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer, or the Covered Entity's Board of Directors (or appropriate committee, thereof) or equivalent governing body, setting forth the Covered Entity's Policies and Procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems. The cybersecurity policy shall be based on the Covered Entity's Risk Assessment and address the following areas to the extent applicable to the Covered Entity's Operations: Physical Security & Environmental Controls Customer Data Privacy CYBERSECURITY POLICY Risk Assessment Data Governance & Classification Asset Inventory & Device Management Access Controls & Identity Management Business Continuity & Disaster Recovery Planning & Resources Systems Operations & Availability Concerns Systems & Network Security Systems & Network Monitoring
  30. 30. NY State DFS Gap Analysis Tool – Screenshots 500.03.n 8/28/17 500.04.a 8/28/17 500.04.a.1 8/28/17 500.04.a.2 8/28/17 500.04.a.3 8/28/17 500.04.b 3/1/18 500.04.b.1 3/1/18 500.04.b.2 3/1/18 500.04.b.3 3/1/18 500.04.b.4 3/1/18 500.04.b.5 3/1/18 Incident Response Designate a senior member of the Covered Entity's personnel responsible for direction and oversight of the Third Party Service Provider Retain responsibility for compliance with this part Require the Third Party Service Provider to maintain a cybersecurity program that protects the Covered Entity in accordance with the requirements of this part Material Cybersecurity Events involving the Covered Entity during the time period addressed by the report Overall effectiveness of the Covered Entity's Cybersecurity Program Material Cybersecurity Risks to the Covered Entity The Covered Entity's Cybersecurity Policies & Procedures The confidentiality of Nonpublic Information and the integrity and security of the Covered Entity's Information Systems CHIEF INFORMATION SECURITY OFFICER (CISO) Each covered entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity's cybersecurity program and enforcing its cybersecurity policy. The CISO may be employed by the Covered Entity, one of its Affiliates or a Third Party Service Provider. To the extent this requirement is met using a Third Party Service Provider or Affiliate: Reporting: The CISO shall report, in writing, at least annually to the Covered Entity's Board of Directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a Senior Officer of the Covered Entity responsible for the Covered Entity's cybersecurity program. The CISO shall report on the Covered Entity's cybersecurity program and material cybersecurity risks. The CISO shall consider to the extent applicable:
  31. 31. Presented by: David Kim, CISSP, PCI QSA SVP Information Security | GRC ITPG Secure Compliance dk@itpgsecure.com https://itpgsecure.com Questions?

×