2017年3月至今, 纽约的银行万博平台app下载, 保险, and 金融服务 industry have been required to comply with the 网络安全 Requirements for Financial Services Companies (23 nycrr 500). The purpose of the regulation is to promote the protection of customer information as well as the IT systems of regulated entities. Although no specific penalties are defined in the regulation, the Superintendent of NY DFS has the authority to request documentation to show compliance at any time, 因此，企业需要做好准备.

年复一年 2月15日, entities must file a certification with the NY 状态 Department of Financial Services.  The regulation requires companies to adhere to a multitude of specific requirements but does include some transitional dates to allow companies to work towards full compliance.

你现在要做的

The first annual certifications were due in February of 2018, so if your company has not filed yet you are well beyond the deadline. As of right now, companies are required to have the following controls in place:

• 风险评估- Companies must perform a risk assessment to identify cybersecurity threats.  Threats must be suitably categorized and evaluated and risk mitigation plans should be developed.
• 〇网络安全政策 A robust set of information security policies and procedures must exist to define the guidance and requirements of your companies cybersecurity 程序.
• 漏洞管理- 至少, companies must perform vulnerability scanning twice a year and have a penetration test done annually.
• CISO - Someone within your company must have the title of Chief Information 安全 Officer. This person is accountable for the cybersecurity 程序.
• 访问- Companies must restrict access to systems with non-public information and review user access periodically.
• 多因素认证— Companies are encouraged to use Multi-factor authentication.
• 网络安全人员能力 万博平台app下载必须雇用合格的人员, either internally or by engaging firms such as 新万博app下载, 管理网络安全控制. 安全 personnel must be given access to and partake in periodic training.
• 保安意识训练- 所有 employees must take security awareness training on a regular basis.
• 事件应变- Companies must have a plan in place to handle cybersecurity events.
• 事故通知- Companies are obligated to notify the Superintendent of the NY Department of Financial Services 72小时内 of the identification of a material cybersecurity event.

你必须尽快做的事

In October of 2018, companies have to have the following in place:

• 用户活动监控 The activity of authorized users must be logged and monitored.
• 审计线索- Audit logs must be in place and retained for 5 years.
• 应用程序安全 Secure application procedures must be in place and reviewed by the CISO
• 〇数据破坏 Companies must begin securely disposing of non-public information according to defined retention standards.
• 加密, Encryption must be used for data in transit over external networks and at rest

在2019年3月，万博平台app下载必须有一个强劲的 第三方服务提供商管理 程序.  This include identifying all third parties used as part of business operations and performing periodic risk assessments and reviewing the information security controls in place at the third party service provider. Many companies use cloud services, consultants, outsourced business support, 等.，这些都在这个控制的范围内.

好消息是

You don’t have to figure this all out on your own. Clearview集团有IT风险方面的专家 & 安全 and 技术 咨询 practices that have many years of experience in designing, 评估, and managing cybersecurity risk for companies of all sizes and industries.  The use of a third party to manage compliance with the requirements is explicitly allowed in the regulation, because the NY Department of Financial Services recognizes the complexity and ever evolving nature of cybersecurity risk. 给我们捎个信 to learn more about how you can ensure your company is managing cybersecurity risk effectively and maintaining regulatory compliance.

作者简介

迈克尔·莫雷 是Clearview的IT风险经理吗 & 安全顾问实务.  He graduated with his Masters in Business 技术 Management from Stevenson University in 2013 and obtained his Certified Information Systems Auditor (CISA) certification in 2014. 他在医疗保健方面有丰富的经验, 公用事业万博平台app下载, 金融服务, 政府合同, 物流, 高等教育.  He has lead IT Audit projects on behalf of Internal Audit, AICPA SOC 2保证业务, IT SOX审计和咨询项目, and IT 安全 consulting and advisory engagements.  He has a deep knowledge in many of the industry leading technologies including Infrastructure as a Service (AWS, Azure, 等.)，平台即服务(Salesforce等).) and Software as a Service (Workday, Office 365, JIRA/Confluence, 等.).