Blog

Tag: encrypt localized data

Panel at PwC discussing NYDFS 23 NYCRR 500 Cybersecurity RegulationThe third in a series of NYDFS 23 NYCRR 500 roadshow events at PwC in New York, NY on May 18, 2017, was a great success as a room full of executives, legal, IT and security professionals discussed ways to help financial services organizations meet the new cybersecurity regulations that went into effect on March 1, 2017.  Pathway to compliance with NYDFS Part 500 was part of a continuing series of forums to assist entities regulated by the New York Division of Financial Services (NYDFS) comply with a strict and wide-ranging regulation.

The event started with Joe Nocera, PwC principal and Cybersecurity Financial Services Industry Leader, giving an overview of 23 N.Y.C.R.R. Part 500 and many of the implications this has for financial institutions doing business in New York.  Joe talked about some anticipated challenges to meet encryption of nonpublic information, multi-factor authentication, incident reporting and annual certification.  While technologies and processes to meet these requirements are not new, there are a lot of questions about how to do it.  For example, is using end-point encryption good enough to protect data at rest and in transit?  What happens when you email a file with nonpublic information from your PC to someone else?  The file is no longer encrypted, so you are vulnerable.

Dr. Larry Ponemon of the Ponemon Institute followed with a review of his latest survey, “Countdown to Compliance: Is the Financial Services Industry Ready for New York State’s Cybersecurity Regulations?”.  Sponsored by Fasoo, this survey helped understand the current state of readiness to comply with the new regulations.  One key finding from the survey is that while most organizations believe this regulation will be harder to implement than GLBA, HIPAA or SOX, 65 percent believe it will improve their cybersecurity posture.

Dr. Ponemon’s keynote was followed by a panel discussion on Pathway to DFS Compliance.  Panel members included Dr. Ponemon, John Horn from Harter Secrest, and Ron Arden from Fasoo.  Some of the items discussed by the panel included eliminating information you no longer need, automatically protecting information downloaded from databases and information repositories and the best way to ensure you have a legally defensible environment when the auditors come calling.  Another major discussion point was around third party service provider security policies.  NYDFS gives covered entities two years to comply, since they realize this will be a major challenge.  If you need to meet these requirements, why wouldn’t you make your service providers meet the same requirements?

The panel was followed by three presentations from security vendors Fasoo, ForgeRock, and Securonix that highlighted technologies that can help financial companies become compliant with the new regulation.  Fasoo focused on its 6 Steps to Compliance that features finding and protecting nonpublic information through encryption, audit trails, access control and secure disposal of information no longer needed by the business.  ForgeRock focused on its identity and access management platform that helps meet the requirements for access control, auditing and multi-factor authentication.  Securonix focused on its behavioral analytics platform that can help understand and mitigate the risk of cybersecurity events.

Lunch followed and allowed attendees to discuss their challenges with the speakers and panel members.  The feedback was that a lot of great information was shared and helped give executives and practitioners good ammunition to move their cybersecurity programs forward.

Combat insider threatsInsider threats exist everywhere and are tricky to detect and deter.  Privileged users can pose a greater threat to your business than hackers, since they already have access to your critical business data.  If a user has legitimate access to sensitive data, that person may accidentally or deliberately share it with unauthorized people inside and outside of your business. Trying to differentiate legitimate data sharing and malicious activity is difficult.

Users need to share sensitive documents with colleagues, business partners and customers regularly. Technology makes it easy to share massive amounts of confidential data with a click or tap through email, file synch and share services or portable media. If a user regularly accesses sensitive information for her job, how do you stop that person from leaking that data to unauthorized people?

Privileged users access sensitive data in databases, on file shares and in ECMs or other content repositories to do their jobs.  If a sales person downloads sensitive data from a CRM system and has it locally in a spreadsheet, how do you stop him or her from sending it to a competitor?  What if you need to share that data with a business partner, but need to control further distribution?

These are challenges, since people need sensitive information to do their jobs, but you need to control who can access the information and what they can do with it.

You need a way to discover, classify and protect sensitive data as you create it. The Fasoo Data Security Framework classifies information based on what you deem sensitive and protects the data by encrypting files as you create them on the desktop, localize them from databases or download them from information systems.  This is the easiest way to ensure you are in control of sensitive data.

Dynamic security policies apply permission controls that grant or deny users the right to View, Edit, Copy, Paste, Print or Decrypt files.  Since roles and responsibilities are always changing, you can change security policy to meet your new business requirements after you distribute files.  You can even automatically adjust security policy based on changed content within a file.  For example, if you have a file that is for all internal employees, but you add social security numbers to it, you need to increase the security to limit access because of the sensitive nature of what’s inside.

Understanding usage patterns of your sensitive information helps you determine behavioral anomalies that could indicate an insider threat.  If normal behavior for a person is to print a few files a day, but all of a sudden they are printing hundreds, they may be stealing sensitive information.  Alerting someone to this event can prevent a possible data breach.

Combating insider threats can be challenging, but your best defense is to protect and control confidential data at the source so it is secured at rest, in motion and while in use regardless of device, storage technology, storage location, and application.

 

Photo credit Eugene Kim

Categories
Book a meeting