CISO

How To Achieve 23 NYCRR Part 500 Compliance

Also referred to as 23 NYCRR Part 500, the NYDFS Cybersecurity Regulation is a set of regulations that are considered as cybersecurity best practices for financial institutions. It’s a set of rules that enacts new & stricter cybersecurity requirements on covered entities.



What should you do to accomplish 23 NYCRR Part 500 compliance?

Know your network:

Ensure you’ve an updated inventory of each asset, its type, version and role. Assets must be classified as facing in & facing out of the network.

Write security policies for each type of asset:

Each kind of environment & asset must have a unique policy, apt for the exact functions it has and the unique threats that it encounters.

Use tools to discover feasible vulnerabilities threatening your network:

Make use of scanners & penetration tests to keep an updated valuation of your company’s position regarding known & unknown vulnerabilities. Regularly observe the compliance posture of your assets & their exposure to vulnerabilities.

Maintain an audit trail based on the risk assessment:

You should maintain at least 3 years of records regarding financial transactions of your operations & obligations.

You should maintain at least 5 years of records regarding cybersecurity events that have a realistic possibility to harm information security.

Control information access privileges:

Put a limit on user’s access to non-public info and user’s capability to conduct tasks that aren’t needed in their role.

Conduct a periodic risk assessment:

Periodic risk assessment should be done to find the changes made in IT systems, the data kept in them, and company’s operation.

Appoint the right person for the task:

You must appoint a qualified individual to be the company’s CISO who’ll be accountable for executing & enforcing the cybersecurity policy in the organization. The Chief Information Security Officer can be either ‘in-house’ or a third-party service provider.

A third party should be appointed to manage the company’s cybersecurity risks & to oversee the performance of cybersecurity activities. You should ensure that these 2 functions are managed by trained people, updated with the latest methodologies and risks.

Make use of multi-factor authentication:

Make use of multi-factor authentication or another method that suits your risk assessment. Authentication methods should be used for any user accessing the company’s internal network from an external one. Any different practice employed must be approved by the Chief Information Security Officer only if it’s equal or more secure than the usual practice.

Disclaimer: This content is created and provided by a third-party online content writer on behalf of CompCiti. CompCiti does not take any responsibility for the accuracy of this Content.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *