If you are a financial services firm that operates in New York State, you are probably already aware of the new Department of Financial Services (DFS) regulation that went into effect on March 1, 2017. The regulation is part 500 of Title 23 of the New York Codes, Rules and Regulations (NYCRR).
You may find the full regulation here.
There are various criteria that exempt certain organizations from many of the sections of the regulation; however, no organization is immune from the regulation.
The first milestone date takes place on August 28. There are six sections of the regulation that your organization should have in place in order to comply with the new law. Within these six broad sections, there are subsections that must be fulfilled.
The largest subset of items required are described in sections 500.02 and 500.03. These sections of the regulation address the documents that an organization should have in place to show the existence of a cybersecurity program.
These include written policies that detail the following:
- System and network security,
- Data governance,
- Asset inventory and management,
- Information security,
- Systems and network monitoring,
- System and application development quality assurance,
- Business continuity and disaster recovery,
- Customer data privacy,
- Incident response,
- Risk assessment,
- Physical security and environmental controls,
- Access controls and identity management,
- Vendor and third-party service provider management, and
- Policy review.
Two of the most significant requirements are that your organization must designate a Chief Information Security Officer (§500.04(a)), and your organization must utilize qualified cybersecurity personnel to manage the core cybersecurity functions in the organization (§500.10). A third-party that provides such services may handle both of these positions.
Another important section of the upcoming milestone date is the existence of a comprehensive incident response plan. This requirement is such an important part of the regulation that it contains two sections: §500.16(a), and §500.16(b). Section ‘a’ describes the overall purpose of the plan, and section ‘b’ outlines the plan’s minimum requirements.
An organization must also have a method in place to limit access privileges to non-public information along with a method to review those access privileges (§500.07).
Many of the documents required by the policy section are further defined in other sections of the regulation. For example, notice how a written incident response policy is listed as part of the cybersecurity policy section and is more granularly defined in its own section.
This is true of other sections, as well, but those other sections have later milestone dates.
The new regulation is in effect, and the first milestone will soon be upon us. The next milestone date is on March 1, 2018. More to come as that date approaches.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.