NY State’s Department Cybersecurity - IT Governance State’s Department Cybersecurity Regulation:...
Transcript of NY State’s Department Cybersecurity - IT Governance State’s Department Cybersecurity Regulation:...
NY State’s Department Cybersecurity
Regulation: How to gain certification
within timelines
May 25, 2017
Alan Calder
IT Governance Ltd
www.itgovernanceusa.com
PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING
Introduction
• Alan Calder
• Founder of IT Governance Ltd
• Author of IT Governance: An International Guide to Data Security and ISO27001/27002
• Led the world’s first successful implementationof ISO 27001 (then BS 7799)
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Leading global provider
• The single source for everything to do with cybersecurity, cyber risk
management, and IT governance
• Our team of dedicated and knowledgeable trainers and consultants
have helped over 400 organizations worldwide achieve ISO 27001
certification
• Our mission is to engage with business executives, senior
managers, IT professionals, and to help them:
Protect Comply Thrive
and secure their intellectual capital
with relevant regulations
as they achieve strategic goals through better IT management
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
IT Governance Ltd: One-stop shop
All verticals, all sectors, all organizational sizes
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Agenda
• The direct effect on your business and the transition timelines
• How ISO 27001, the internationally recognized standard, can help you achieve certification in a timely and cost-effective manner
• Conducting a gap analysis to determine the technical and organizational measures your business will need to adopt to comply with the Regulation
• Developing policies and procedures that comply with the Regulation
• Additions to your cybersecurity program and policy, including appointing personnel and creating an incident response plan to meet the 180-day deadline
5
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
NYDFS Cybersecurity Requirements
for Financial Services Companies
• Calls for all NY financial institutions to implement security measures
in order to protect themselves against cyber attacks
• Increase in cyber threats toward the financial industry
• The Identity Theft Resource Center revealed in 2016 that financial
organizations suffered 52 breaches and 72,000 records were
compromised
52breaches
72krecords
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
One of the largest attacks reported on
a financial institution yet
• 2016 malware attack on Bangladesh Central Bank’s SWIFT
payment system resulted in $81 million being stolen
• Cyber criminals attempted to make
fraudulent transfers that totalled
$951 million from the Bangladesh
Central Bank's account at the
Federal Reserve Bank of New York$81m
stolen
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Financial Services one of the highest-ranked industries for breaches
• SecurityScorecard
studied 361 global
organizations that were
breached between
Jun 2015 - Apr 2016
• Of these, financial
services organizations
accounted for
over 10%
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Non-compliance and penalties
• Under the Financial Services Law 102, 201, 202, 301, 302, and 408,
the NYDFS Superintendent has the authority to:
– Carry out civil penalties
– Impose fines for the non-compliance of regulations and false reporting
• Just this year, the NYDFS fined Deutsche Bank $425 million
for violating anti-money laundering laws that involved
inadequate precautions to identify compliance issues,
including:
– Inaccurate and insufficient documentation
– Weak risk assessment
– Under-resourced staff
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Threat landscape: Overview
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc.
Threat types
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Timelines
180 days 1 year 18 months 2 years
Section 500.02 Cybersecurity Program
Section 500.04 (b) Chief Information Security Officer (CISO)
Section 500.06 Audit Trail
Section 500.11 Third Party Service Provider Security Policy
Section 500.03 Cybersecurity Policy
Section 500.05 Penetration Testing and Vulnerability Assessments
Section 500.08 Application Security
Section 500.07 Access Privileges
Section 500.09 Risk Assessment
Section 500.13 Limitations on Data Retention
Section 500.10 Cybersecurity Personnel and Intelligence
Section 500.12 Multi-Factor Authentication
Section 500.14 (a)Training and Monitoring
Section 500.16 Incident Response Plan
Section 500.14 (b)Training and Monitoring
Section 500.15 Encryption of Nonpublic Information
• The requirements became effective on March 1, 2017, with the
reporting requirement kicking in on February 15, 2018.
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Who must comply
• Financial services based in New York– Banking institutions
– Savings and loan organizations
– Private bankers
– Trust companies
– Insurance agencies
– Health insurers
– Check cashers
Any financial institution that falls under NYDFS supervision
• To be exempt, companies must have:– fewer than 10 employees
– less than $5M in revenue (over last 3 years)
– less than $10M in total assets
Additional exemptions of sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 vary for entities that do not handle, access, possess, or own non-public information
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Why ISO 27001?
• Internationally recognized standard
• Best-practice solution
• Substantial eco-system of implementers
• Leading companies have implemented– Citibank
– Amazon Web Services
– IBM
– Microsoft
– The Federal Reserve Bank of New York
• Co-ordinates multiple legal & contractual compliance requirements
• Built around business-focused risk assessment
• Balances Confidentiality, Integrity, Availability
• Achieve certification in a timely and cost-effective manner
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
ISO 27001
0
to
3
4
to
10
Annex A: A.5
to
Annex A: A.18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security …
• Control objectives
• Controls
Introduction
Application
Terms and definitions
Security …
• Control objectives
• Controls
Introduction
Scope and norm ref.
Terms and definitions
Structure and risk ass.
Bibliography
Control
Implementation
guidance
Other info
ISO 27001:2013
ISO 27000:2016
ISO 27002:2013
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Annex A: 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq., dev. &
mtnce.
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec.
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Gap analysis/risk assessment(Cybersecurity Program 500.2)
• A cybersecurity program must be informed by the results of a risk
assessment, which determines the risks facing the organization, its
information, and its information systems
– This will enable the organization to select the relevant controls and additional
measures that might be applicable
• Report on the state of organizational compliance
– A gap analysis should be conducted to determine the technical and
organizational measures your business will need to adopt in order to comply
with the Regulation
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
vsRisk™ (v3.0)
NIST, PCI DSS
Watch our video >>
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Developing policies and procedures (Cybersecurity Policy, Section 500.3)
• Information security
• Data governance and classification
• Asset inventory and device management
• Access controls and identity management
• Business continuity and disaster recovery planning and resources
• Systems operations and availability concerns
• Systems and network security
• Systems and network monitoring
• Physical security and environmental controls
• Customer data privacy
• Vendor and third-party service provider management
• Risk assessment
• Incident response
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Appointing personnel(Section 500.10)
• Cybersecurity personnel and intelligence
• Integrated approach
• Correct mix of skills are available and maintained
• Awareness appropriate for cybersecurity issues
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Incident response plan(Section 500.16)
• The Regulation requires a written incident response plan
• An effective set of information security event and incident
arrangements can be established by considering the security
controls
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Valuable resources
• Free green papers:
NYDFS Cybersecurity Requirements:
º Part 1 – The Regulation and the ISO 27001 standard
º Part 2 – Mapped alignment with ISO 27001
• More information on ISO 27001 and the Regulationº https://www.itgovernanceusa.com/iso27001-nydfs-cybersecurity
• Risk Assessment and ISO 27001º https://www.itgovernanceusa.com/risk_assessments
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Live Online training courses
Course:New York DFS Cybersecurity & ISO27001 Certified ISMS Foundation Online
New York DFS Cybersecurity & ISO27001 Certified ISMS Lead Implementer Online
Price: $688 $2244
Duration: 1 day (9:00 - 5:00 EST/EDT) 3 day (9:00 - 5:00 EST/EDT)
Qualification: CIS F CIS LI
Dates: May 30, Aug 22, Nov 28, Feb 13th 2018 May 31-Jun 2, Aug 23-25, Nov 29-Dec 1, Feb 14th-16th 2018
Format: Live Online: Live Online:
Time US - 9:00 - 5:00 EST/EDT US - 9:00 - 5:00 EST/EDT
TM
www.itgoverrnanceusa.com
Copyright IT Governance Ltd 2017 – v1.0
Books, standards, and tools
ISO 27001 Cybersecurity Documentation Toolkit– https://www.itgovernanceusa.com/shop/product/iso-27001-
cybersecurity-documentation-toolkit
Receive 20% off this toolkit when you book a place on any
New York DFS Cybersecurity & ISO 27001 Live Online course
vsRisk™ – risk assessment software– https://www.itgovernanceusa.com/shop/Product/vsrisk-standalone-basic
ISO 27001 standards– ISO/IEC 27001 2013 (ISO 27001 Standard) ISMS Requirements