Blog

Tag: encrypt nonpublic data

Ron Arden presenting on NYDFS compliance at RSS 2017Ron Arden, Executive Vice President & COO, Fasoo, Inc. spoke to security professionals and executives on how to meet the data-centric requirements of the NYDFS 23 NYCRR 500 cybersecurity regulations for financial services organizations at the 2017 Rochester Security Summit at the Rochester Hyatt in Rochester, NY.

Ron delivered a presentation entitled “Do You Have a Pathway to Data Security and Compliance?” as part of the risk and compliance track during the October 19 – 20, 2017 event.  With deadlines approaching for some of the more challenging components of the NYDFS cybersecurity regulations, timing was right as Ron reviewed results from the recent Ponemon Institute survey on NYDFS readiness and Fasoo’s approach to help meet the technical challenges of protecting unstructured data or data stored in files.  This is an area that most organizations are struggling with, since about 80 percent of their information is not in databases, but is in office documents.

Conversations during the presentation ran from concerns about meeting regulatory compliance to those trying to protect intellectual property from walking out the door.  One financial services company is in process of locating and classifying all files trying to decide what is sensitive and what is not.  Ron suggested thinking about all files as sensitive and encrypting them upon creation.  If you spend a lot of time determining what is and what is not sensitive, you may miss something and cause more problems.  If you need to remove the encryption to share with someone externally, it’s easier to make an exception for that rather than expecting users to decide on the sensitivity of a file.  That causes breakdowns in workflows and burdens users unnecessarily.  Plus you may not meet the NYDFS requirement to encrypt all nonpublic information.

Bill Blake, Senior Vice President of Fasoo, and Ron joined security partner Brite Computers in a booth during the vendor focused times during the 2-day event.  Brite and Fasoo have had great 
RSS 2017 after party
success over the years bringing security technology and a customer-focused approach to solving business problems to numerous customers in a variety of industries.  The initiatives helping customers become compliant with the NYDFS regulations is the just latest.

Brite also had an RSS after party on Thursday evening to meet with customers and partners in a more relaxed setting.  It was held in the newly renovated Center City Terrace & Lounge and allowed everyone to take advantage of the unseasonably warm weather.  It was great to get to meet a lot of Brite’s current customers and talk to them about how Fasoo can help them address many of their security and compliance issues.

The event this year showed the continuing need for data-centric security solutions as companies try to mitigate the risk of both external hackers and insider threats to their most sensitive data.  Complying with regulations is important, but the main goal of these regulations is to protect sensitive data from leaking or being stolen by unauthorized people.  Stopping this has become a main focus of many CISOs and boards.

Cyber Security Legislation Will Change the Face of BusinessAs 2017 gets underway, cyber security legislation will strengthen and force businesses to change the way they approach information security.  At the federal level in the United States, the US Congress and President have proposed numerous updates to existing regulations and new regulations to cover all facets of cybersecurity.  These include the Cyber Preparedness Act of 2016, Cybersecurity Systems and Risk Reporting Act and others.

At the state level, legislation was introduced or considered in at least 28 states in 2016. Fifteen of those states enacted legislation, many addressing issues related to security practices and protection of information, and cyber crimes in general, including dealing with rasomware.

One example is the new regulation by the New York State Division of Financial Services (NYS-DFS) that goes into effect on March 1, 2017 (changed from January 1) that requires organizations registered as banks, insurers, and other financial institutions in the state to implement comprehensive cyber security programs and policies.  The first bar is to encrypt nonpublic information at-rest and in-transit.  This includes confirming a third party service provider’s adherence to these enhanced data security requirements.  Covered entities have to certify they meet the first set of requirements by February 15, 2018 and annually after that.

Other key requirements of the NYS-DFS cybersecurity regulation and others is to maintain audit trails of sensitive data, including logs of access to critical systems.  While it is important to understand who can and has accessed an information system, it is more important to control and audit the access to the sensitive data inside.  Encrypting documents and controlling who can access them regardless of the user’s or file’s location is key to protecting sensitive data and meeting these regulations.  This ensures that only authorized people inside and outside of the organization can access the information.

One thing to remember is that most regulations prescribe the minimum an organization must do to comply.  As we have seen in recent years, complying with a regulation does not mean you are safe and your data is secure.  You need to think about protecting, controlling and monitoring all sensitive data inside your organization to ensure you meet regulations but also that you maintain your business.

It is clear that regulators and legislators are focused on raising the bar for cybersecurity programs and to ensure the public that nonpublic information remains private.  Organizations need to focus on developing a robust risk-based cybersecurity program rather than reactively responding to regulatory guidance.

The time is now to enhance your data security to meet new regulations and protect your business.

Categories
Book a meeting