Tag: NYDFS 23 NYCRR 500

Ron Arden presenting on NYDFS compliance at RSS 2017Ron Arden, Executive Vice President & COO, Fasoo, Inc. spoke to security professionals and executives on how to meet the data-centric requirements of the NYDFS 23 NYCRR 500 cybersecurity regulations for financial services organizations at the 2017 Rochester Security Summit at the Rochester Hyatt in Rochester, NY.

Ron delivered a presentation entitled “Do You Have a Pathway to Data Security and Compliance?” as part of the risk and compliance track during the October 19 – 20, 2017 event.  With deadlines approaching for some of the more challenging components of the NYDFS cybersecurity regulations, timing was right as Ron reviewed results from the recent Ponemon Institute survey on NYDFS readiness and Fasoo’s approach to help meet the technical challenges of protecting unstructured data or data stored in files.  This is an area that most organizations are struggling with, since about 80 percent of their information is not in databases, but is in office documents.

Conversations during the presentation ran from concerns about meeting regulatory compliance to those trying to protect intellectual property from walking out the door.  One financial services company is in process of locating and classifying all files trying to decide what is sensitive and what is not.  Ron suggested thinking about all files as sensitive and encrypting them upon creation.  If you spend a lot of time determining what is and what is not sensitive, you may miss something and cause more problems.  If you need to remove the encryption to share with someone externally, it’s easier to make an exception for that rather than expecting users to decide on the sensitivity of a file.  That causes breakdowns in workflows and burdens users unnecessarily.  Plus you may not meet the NYDFS requirement to encrypt all nonpublic information.

Bill Blake, Senior Vice President of Fasoo, and Ron joined security partner Brite Computers in a booth during the vendor focused times during the 2-day event.  Brite and Fasoo have had great 
RSS 2017 after party
success over the years bringing security technology and a customer-focused approach to solving business problems to numerous customers in a variety of industries.  The initiatives helping customers become compliant with the NYDFS regulations is the just latest.

Brite also had an RSS after party on Thursday evening to meet with customers and partners in a more relaxed setting.  It was held in the newly renovated Center City Terrace & Lounge and allowed everyone to take advantage of the unseasonably warm weather.  It was great to get to meet a lot of Brite’s current customers and talk to them about how Fasoo can help them address many of their security and compliance issues.

The event this year showed the continuing need for data-centric security solutions as companies try to mitigate the risk of both external hackers and insider threats to their most sensitive data.  Complying with regulations is important, but the main goal of these regulations is to protect sensitive data from leaking or being stolen by unauthorized people.  Stopping this has become a main focus of many CISOs and boards.

Use the FFIEC Cyber Assessment Tool to help comply with NYDFS 23 NYCRR Part 500The Federal Financial Institutions Examination Council (FFIEC) released an update to its Cybersecurity Assessment Tool to help financial institutions establish a better baseline to identify their risks and determine their cybersecurity preparedness. The original intent of the Assessment was to provide a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.

The updates are a response to criticism since its release in June 2015 for its vagueness and diversion from other well-established cybersecurity assessment frameworks, such as the NIST Cybersecurity Framework.  While there are similarities between these tools, the FFIEC is trying to provide guidance to its constituency where the NIST framework is general for all organizations.

While these tools and frameworks are seen by most organizations as guidelines to help them better protect their businesses and customers, the FFIEC regulators have been mandating its use by the banks and credit unions under its jurisdiction.  This raises questions about complying with other regulations and what frameworks financial institutions should use.

The FFIEC assessment tool includes three main components:

  • A risk profile assessment, to help institutions understand how each activity, service and product can impact risk and affect inherent risk
  • A cybersecurity maturity assessment, to determine an institution’s cybersecurity maturity level
  • An interpretation and analysis assessment, to help institutions understand whether their inherent risks are appropriate, relative to their cybersecurity maturity.

Organizations that must comply with GLBA, SOX, the new NYDFS 23 NYCRR 500 cybersecurity regulation and others may have challenges deciding what is the best approach to meet these regulations.  While the NIST Framework has general guidelines to help improve an organization’s cybersecurity posture, regulations like the NYDFS are more prescriptive as they define specific technologies or processes to meet the regulation.  This may require additional guidance.

One enhancement to the updated FFIEC Cybersecurity Assessment Tool is a mapping of the NIST framework to the tool.  For those already using NIST or the FFIEC tool, this helps establish how they compliment each other and where they differ.  It is also helpful for those organizations looking to comply with NYDFS, since many of the same goals are inherent in these tools.

While other regulatory agencies have not explicitly said they will adopt the FFIEC tool, I expect some will rather than creating their own.  It would be nice to have a one size fits all, but as the threat landscape changes and regulations change, tools need to evolve to meet the specific requirements of different industries.

The real goal of these rules and frameworks, lest we forget, is to ensure that you can securely operate your business without compromising your or your customer’s security and privacy.  It’s all about protecting your confidential information and ensuring that you can continue operating as a business with the trust and confidence you have built with your customers and partners.

Book a meeting