Last updated: 07 September 2017
New York State’s New Cybersecurity Regulations are Live and in Play…. How to Make Sure you are Compliant
As of August 28, NY’s Cybersecurity Regulations are in effect. New York’s Department of Financial Services (DFS) has put the guidelines in place to protect consumers and ensure the safety and soundness of the financial services industry from cyber-criminals.
These new requirements will affect not only the organizations supervised by the DFS, but their 3rd party service providers as well. It is imperative for these organizations to begin their preliminary risk assessment and determine how their cybersecurity program can address their encryption needs. The regulation specifies that, “it requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.”
The guidance specifies that multi-factor authentication should be implemented when accessing customer sensitive data as well as the protection of customer data through encryption of non-public information held or transmitted by the Covered Entity— both in transit over external networks and at rest.
Over the last five years with the rapid adoption of cloud based services, BYOD and a highly mobile enterprise workforce, we have seen the gradual disappearance of a defined perimeter behind which corporate data can be stored and protected. Even more, with the rise of Big Data, data is the new oil in the new digital economy. What does that mean for companies working to comply with regulation like the NY DFS regulation?
Companies must assume that data breaches are inevitable and adopt a strategy to Secure the Breach, which means placing security controls directly on the data itself and the users accessing the data. Breaches will happen and cybercriminals will find new ways of hacking into organizations; therefore protecting your assets and data no matter where it is has to become the new strategy to adopt. How do organizations do this? Encrypt all sensitive data at rest and in motion, and securely store and manage all of your encryption keys. Control access and authentication of users.
Encrypting your data: With data as the new oil, find out your most sensitive data that must be protected and apply encryption to all data at rest: databases, applications, personal identifiable information (PII), and storage in the physical and virtual data center. Guarding against advanced threats — while maintaining compliance – is difficult in a dynamic environment where data moves through virtual, cloud and mobile ecosystems. Organizations now need to look at using a data-centric approach to protecting sensitive information.
Securely Store and Manage Encryption Keys: As data expands in volume, type and location, and moves from the data center through virtual environments and to the cloud, organizations must use centralized key management and policy enforcement, ultimately improving compliance, governance, visibility and efficiency.
Control access and authentication of users: Multi- Factor Authentication serves a vital function within any organization: securing access to corporate networks; protecting the identities of users; and ensuring that a user is who he claims to be.
By implementing each of these three steps into your IT infrastructure, companies can effectively prepare for a breach and avoid falling victim to one. Technology in our world today has always been an enabler and a factor for efficiency, yet security has been seen as a blockade to those efficiencies and enablers. With this 3-step approach to security, it allows IT organizations to achieve a strategy of “yes” where security is built around the understanding that the movement and sharing of data is fundamental to business success.
Want to learn more? Download our Secure the Breach manifesto and learn more about these three key steps in protecting your most sensitive information.