The State of New York has implemented new security rules the wake of a tsunami of web attacks, and card issuers and financial institutions will need to substantially step up their cyber risk management, IT protections and incident response strategies.
The new regulation, 23 NYCRR500, the first of its kind in the U.S., is designed to ensure the security and privacy of sensitive personal information.
Each company will be acquired to assess its specific security risk profile and design a program that addresses its risks. The regulation specifically requires organizations to file an annual certification confirming compliance with the regulations. This Cybersecurity Program outlines and sets the stage for defining how organizations will be measured relative to the new rules.
Each organization must also “maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of its information systems and the program must be based on Risk Assessment and perform six core functions:
1. Organizations must identify and assess internal and external cybersecurity risks that may threaten the security or integrity of data stored in an organization’s IT systems;
2. Use defensive infrastructure and implementation of policies and procedures to protect the IT systems from unauthorized access or malicious acts;
3. Detect cybersecurity events;
4. Respond to identified or detected Cybersecurity Events to mitigate any negative effects;
5. Recover from Cybersecurity Events and restore normal operations and services;
6. Fulfill applicable regulatory reporting requirements. Each organization must implement and maintain a written policy or policies based on the organization’s Risk Assessment (as defined in 23 NYCRR 500.09). The policies must address a number or areas including, but not limited to: Information security; Systems and network security; Systems and network monitoring; and Incident response.
In addition, organizations must designate a qualified person to oversee the program and policies (i.e. CISO). Audit trails must be implemented that are designed to detect and respond to cybersecurity events. All records must be maintained for 5 years. Each organization must also develop an incident response plan designed to respond and recover from any cybersecurity event that would affect the confidentiality, integrity, or availability of the organization’s IT systems.
While no one system can provide the full range of compliance across all of the regulatory requirements, a forensic threat investigation solution and incident response plan will be the most important tools for demonstrating compliance.
There are four sections in particular where an incident response and threat forensics tool provides many benefits. For information security a policy must be put in place that allows organizations to identify who should have access to sensitive information. Ultimately, when a security breach takes place, technology teams must be able to track hackers from their point of access, where they traveled as well as what data was accessed.
When it comes to systems and network security, there should be a policy that defines what security tools are in place and the protections that they offer. In order to enforce the policies of Systems and Network Security, the active monitoring and analysis of network systems is an absolute requirement. Without baselining user and traffic behavior, network and security teams are blind to the activities taking place on the network. An exhaustive record of normal traffic patterns must be recorded so tech teams can set up a system that alerts/alarms when traffic deviates from these patterns.
The main goal in any incident response and forensic threat investigation solution is to provide teams with the ability to respond quickly to incidents. An effective solution will also provide audit trails. Since these systems require minimal data from the existing NetFlow, IPFIX, and metadata on the network, records can be maintained for years with minimal impact on disk space. So when a record of events that occurred three years ago is required, that data is retrievable.
Compliance is a multi-step process. It is the creation of a written policy and the demonstration of consistent enforcement in an automated fashion. 23 NYCRR 500 is just an example, among many others, of a new set of rules requiring the need for a written policy. Having forensic capabilities are key to demonstrating compliance.