NY State’s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO June 28, 2017 Alan Calder IT Governance Ltd www.itgovernanceusa.com PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING
30
Embed
NY State’s Cybersecurity Legislation · its Chief Information Security Officer ("CISO"), is the Covered Entity required to satisfy the requirements of 23 NYCRR 500.04(a)(2)-(3)?
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
NY State’s Cybersecurity Legislation
Requirements for Risk Management, Security of
Applications, and the Appointed CISO
June 28, 2017
Alan Calder
IT Governance Ltd
www.itgovernanceusa.com
PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING
Introduction
• Alan Calder
• Founder of IT Governance Ltd
• Author of IT Governance: An International Guide to Data Security and ISO 27001/27002
• Led the world’s first successful implementationof ISO 27001 (then BS 7799)
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Leading global provider
• The single source for everything to do with cybersecurity, cyber risk
management, and IT governance
• Our team of dedicated and knowledgeable trainers and consultants
have helped over 400 organizations worldwide achieve ISO 27001
certification
• Our mission is to engage with business executives, senior
managers, and IT professionals, and help them:
Protect Comply Thrive
and secure their intellectual capital
with relevant regulations
as they achieve strategic goals through better IT management
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Agenda
• Application security program (internal and external) and review
by the CISO
• Overview of the risk assessment policy and procedures
• Setting up a program specific to your organization’s information
systems and business operations
• Identifying cyber threats and how to incorporate controls
• Maintaining an audit trail to include detection and responses to
cybersecurity events
• How ISO 27001 and vsRisk™ can provide the right tools to help
you implement a successful program that meets compliance
requirements
4
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Timelines
180 days (Aug. 28, 2017) 1 year 18 months 2 years
Section 500.02 Cybersecurity Program
Section 500.04 (b) CISO’s Report
Section 500.06 Audit Trail
Section 500.11 Third Party Service Provider Security Policy
Section 500.03 Cybersecurity Policy
Section 500.05 Penetration Testing and Vulnerability Assessments
Section 500.08 Application Security
Section 500.04 (a) Chief Information Security Officer (CISO)
Section 500.09 Risk Assessment
Section 500.13 Limitations on Data Retention
Section 500.07 Access Privileges
Section 500.12 Multi-Factor Authentication
Section 500.14 (a)Training and Monitoring
Section 500.10 Cybersecurity Personnel and Intelligence
Section 500.14 (b)Training and Monitoring
Section 500.15 Encryption of Nonpublic Information
Section 500.16 Incident Response Plan
• This presentation covers the following compliance deadlines
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
NYDFS cybersecurity FAQs
Q: Is a Covered Entity required to certify compliance with all the
requirements of 23 NYCRR 500 on February 15, 2018?
A: Covered Entities are required to submit the first certification under 23
NYCRR 500.17(b) by February 15, 2018. This initial certification applies to and
includes all requirements of 23 NYCRR Part 500 for which the applicable
transitional period under 23 NYCRR 500.22 has terminated prior to February
15, 2018.
Accordingly, Covered Entities will not be required to submit certification of
compliance with the requirements of 23 NYCRR 500.04(b), 500.05, 500.06,
500.08, 500.09, 500.12, 500.13, 500.14 and 500.15 until February 15, 2019,
and certification of compliance with 23 NYCRR 500.11 until February 15, 2020.
officer (CISO) (Section 500.04 (a) 180-day requirement due by
August 28, 2017)
• What to look for in a candidate
– A trustworthy advisor
– Understands the business processes and the organization as a whole
• Covered entities may choose to:
– Designate an internal staff member as CISOº Benefits: will have an advantage in their understanding of how the business operates, which will
enable them to better assess and guide what is needed to protect the organization
– Outsource the role to an affiliate or third partyº With this option comes the additional measure of appointing a senior-level staff member to oversee
the third party
º They may not have a clear picture of the business operations
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
NYDFS cybersecurity FAQs
Q: To the extent a Covered Entity uses an employee of an Affiliate as
its Chief Information Security Officer ("CISO"), is the Covered Entity
required to satisfy the requirements of 23 NYCRR 500.04(a)(2)-(3)?
A: To the extent a Covered Entity utilizes an employee of an Affiliate to
serve as the Covered Entity's CISO for purposes of 23 NYCRR 500.04(a), the
Affiliate is not considered a Third Party Service Provider for purposes of 23
NYCRR 500.04(a)(2)-(3).
However, the Covered Entity retains full responsibility for compliance with the
requirements of 23 NYCRR Part 500 at all times, including ensuring that the
CISO responsible for the Covered Entity is performing the duties consistent
• An effective program must place cybersecurity in the context of the business, and should be guided by two related considerations:– How does cybersecurity enable the business?
– How does cyber risk affect the business?
• From this perspective, cybersecurity focuses on competitive advantage and positions itself as a business enabler. If done right, cybersecurity helps drive a consistent, high-quality customer experience.
• The company’s technology infrastructure should be at the forefront, but a cybersecurity strategy should go further and also cover:– Supply chain/third-party suppliers
– Product/service development
– Customer experience
– External influencers
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Elements of a strong cybersecurity
strategy
• Set a vision: Describe how cybersecurity protects and enables value in your company.
• Sharpen your priorities: Your resources are finite, so focus on critical business assets.
• Build the right team: Ensure your security program has an appropriate mix of skill sets, including organizational change management, crisis management, third-party risk management, and strategic communications.
• Enhance your controls: To reflect the widening scope of your cybersecurity strategy, you’ll need to adopt new methods for treating risk.
• Monitor the threat: Cybersecurity requires an adaptive outlook. Maintain awareness of the threat landscape.
• Plan for contingencies: No one can be 100% secure, so a strong incident response capability is essential in case something undesirable happens. Incident response is not just a technology issue.
• Transform the culture: People are the core of the business, so cybersecurity is everyone’s responsibility. Encourage their buy-in by making cybersecurity relevant to each business area.
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
New York breaches rose 60% in 2016
New York State Attorney General Eric T. Schneiderman released a
summary of the year 2016, which revealed:
• 1,300 reported data breaches
• 60% increase from 2015
• 1.6 million New Yorkers’ personal records exposed
• Each Covered Entity shall securely maintain systems that, to the
extent applicable and based on its risk assessment:
– are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations, for not fewer than five years
– include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations, for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Annex A: 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq., dev. &
mtnce.
16 Infosec incident management 17 Infosec aspects of BC mgmt.
18 Compliance
11 Physical and environmental sec.
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Best-practice cyber risk management
ISO 27001 and vsRisk
• Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments, so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way.
• ISO 27001– Internationally recognized standard– Best-practice solution– Substantial ecosystem of implementers– Coordinates multiple legal and contractual compliance requirements– Built around business-focused risk assessment– Balances confidentiality, integrity, availability– Achieve certification in a timely and cost-effective manner
• vsRisk™ software – Gives you a clear picture of your risks and threats– Providing a framework to start your cybersecurity program– Save time, effort, and expense
• New York DFS Cybersecurity & ISO 27001Certified ISMS online training– New York DFS Cybersecurity & ISO 27001 Certified ISMS Foundation
– New York DFS Cybersecurity & ISO 27001 Certified ISMS Lead Implementer
• ISO 27001 Cybersecurity Documentation Toolkit– www.itgovernanceusa.com/shop/product/iso-27001-
cybersecurity-documentation-toolkitReceive 20% off this toolkit when you book a place on any New York DFS Cybersecurity & ISO 27001 Live Online course.