NY State’s Department Cybersecurity

Regulation: How to gain certification

within timelines

May 25, 2017

Alan Calder

IT Governance Ltd

www.itgovernanceusa.com

PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING

Introduction

• Alan Calder

• Founder of IT Governance Ltd

• Author of IT Governance: An International Guide to Data Security and ISO27001/27002

• Led the world’s first successful implementationof ISO 27001 (then BS 7799)

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Leading global provider

• The single source for everything to do with cybersecurity, cyber risk

management, and IT governance

• Our team of dedicated and knowledgeable trainers and consultants

have helped over 400 organizations worldwide achieve ISO 27001

certification

• Our mission is to engage with business executives, senior

managers, IT professionals, and to help them:

Protect Comply Thrive

and secure their intellectual capital

with relevant regulations

as they achieve strategic goals through better IT management

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

IT Governance Ltd: One-stop shop

All verticals, all sectors, all organizational sizes

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Agenda

• The direct effect on your business and the transition timelines

• How ISO 27001, the internationally recognized standard, can help you achieve certification in a timely and cost-effective manner

• Conducting a gap analysis to determine the technical and organizational measures your business will need to adopt to comply with the Regulation

• Developing policies and procedures that comply with the Regulation

• Additions to your cybersecurity program and policy, including appointing personnel and creating an incident response plan to meet the 180-day deadline

5

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

NYDFS Cybersecurity Requirements

for Financial Services Companies

• Calls for all NY financial institutions to implement security measures

in order to protect themselves against cyber attacks

• Increase in cyber threats toward the financial industry

• The Identity Theft Resource Center revealed in 2016 that financial

organizations suffered 52 breaches and 72,000 records were

compromised

52breaches

72krecords

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

One of the largest attacks reported on

a financial institution yet

• 2016 malware attack on Bangladesh Central Bank’s SWIFT

payment system resulted in $81 million being stolen

• Cyber criminals attempted to make

fraudulent transfers that totalled

$951 million from the Bangladesh

Central Bank's account at the

Federal Reserve Bank of New York$81m

stolen

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Financial Services one of the highest-ranked industries for breaches

• SecurityScorecard

studied 361 global

organizations that were

breached between

Jun 2015 - Apr 2016

• Of these, financial

services organizations

accounted for

over 10%

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Non-compliance and penalties

• Under the Financial Services Law 102, 201, 202, 301, 302, and 408,

the NYDFS Superintendent has the authority to:

– Carry out civil penalties

– Impose fines for the non-compliance of regulations and false reporting

• Just this year, the NYDFS fined Deutsche Bank $425 million

for violating anti-money laundering laws that involved

inadequate precautions to identify compliance issues,

including:

– Inaccurate and insufficient documentation

– Weak risk assessment

– Under-resourced staff

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Threat landscape: Overview

Non-target specific

Employees

Terrorists

Hacktivists

Organized crime

Natural disasters

Nation states

Competitors

People

Processes

Technology

Threat actors Attack vectors Threat

targets

IP

Card data

PII

Money

Reputation

Commercial info

Malware

Web attacks

Denial of service

Social engineering

Exploit kits

Ransomware

Etc.

Threat types

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Timelines

180 days 1 year 18 months 2 years

Section 500.02 Cybersecurity Program

Section 500.04 (b) Chief Information Security Officer (CISO)

Section 500.06 Audit Trail

Section 500.11 Third Party Service Provider Security Policy

Section 500.03 Cybersecurity Policy

Section 500.05 Penetration Testing and Vulnerability Assessments

Section 500.08 Application Security

Section 500.07 Access Privileges

Section 500.09 Risk Assessment

Section 500.13 Limitations on Data Retention

Section 500.10 Cybersecurity Personnel and Intelligence

Section 500.12 Multi-Factor Authentication

Section 500.14 (a)Training and Monitoring

Section 500.16 Incident Response Plan

Section 500.14 (b)Training and Monitoring

Section 500.15 Encryption of Nonpublic Information

• The requirements became effective on March 1, 2017, with the

reporting requirement kicking in on February 15, 2018.

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Who must comply

• Financial services based in New York– Banking institutions

– Savings and loan organizations

– Private bankers

– Trust companies

– Insurance agencies

– Health insurers

– Check cashers

Any financial institution that falls under NYDFS supervision

• To be exempt, companies must have:– fewer than 10 employees

– less than $5M in revenue (over last 3 years)

– less than $10M in total assets

Additional exemptions of sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 vary for entities that do not handle, access, possess, or own non-public information

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Why ISO 27001?

• Internationally recognized standard

• Best-practice solution

• Substantial eco-system of implementers

• Leading companies have implemented– Citibank

– Amazon Web Services

– IBM

– Microsoft

– The Federal Reserve Bank of New York

• Co-ordinates multiple legal & contractual compliance requirements

• Built around business-focused risk assessment

• Balances Confidentiality, Integrity, Availability

• Achieve certification in a timely and cost-effective manner

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

ISO 27001

0

to

3

4

to

10

Annex A: A.5

to

Annex A: A.18

Annex B

1

to

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Security …

• Control objectives

• Controls

Introduction

Application

Terms and definitions

Security …

• Control objectives

• Controls

Introduction

Scope and norm ref.

Terms and definitions

Structure and risk ass.

Bibliography

Control

Implementation

guidance

Other info

ISO 27001:2013

ISO 27000:2016

ISO 27002:2013

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Annex A: 14 control categories

5 Infosec policies

6 Organization of infosec 7 Human resources security

8 Asset management 9 Access control

12 Operations security

14 System acq., dev. &

mtnce.

16 Infosec incident management 17 Infosec aspects of BC mgmt

18 Compliance

11 Physical and environmental sec.

15 Supplier relationships

10 Cryptography

13 Comms security

114 CONTROLS

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Gap analysis/risk assessment(Cybersecurity Program 500.2)

• A cybersecurity program must be informed by the results of a risk

assessment, which determines the risks facing the organization, its

information, and its information systems

– This will enable the organization to select the relevant controls and additional

measures that might be applicable

• Report on the state of organizational compliance

– A gap analysis should be conducted to determine the technical and

organizational measures your business will need to adopt in order to comply

with the Regulation

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

vsRisk™ (v3.0)

NIST, PCI DSS

Watch our video >>

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Developing policies and procedures (Cybersecurity Policy, Section 500.3)

• Information security

• Data governance and classification

• Asset inventory and device management

• Access controls and identity management

• Business continuity and disaster recovery planning and resources

• Systems operations and availability concerns

• Systems and network security

• Systems and network monitoring

• Physical security and environmental controls

• Customer data privacy

• Vendor and third-party service provider management

• Risk assessment

• Incident response

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Appointing personnel(Section 500.10)

• Cybersecurity personnel and intelligence

• Integrated approach

• Correct mix of skills are available and maintained

• Awareness appropriate for cybersecurity issues

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Incident response plan(Section 500.16)

• The Regulation requires a written incident response plan

• An effective set of information security event and incident

arrangements can be established by considering the security

controls

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Valuable resources

• Free green papers:

NYDFS Cybersecurity Requirements:

º Part 1 – The Regulation and the ISO 27001 standard

º Part 2 – Mapped alignment with ISO 27001

• More information on ISO 27001 and the Regulationº https://www.itgovernanceusa.com/iso27001-nydfs-cybersecurity

• Risk Assessment and ISO 27001º https://www.itgovernanceusa.com/risk_assessments

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Live Online training courses

Course:New York DFS Cybersecurity & ISO27001 Certified ISMS Foundation Online

New York DFS Cybersecurity & ISO27001 Certified ISMS Lead Implementer Online

Price: $688 $2244

Duration: 1 day (9:00 - 5:00 EST/EDT) 3 day (9:00 - 5:00 EST/EDT)

Qualification: CIS F CIS LI

Dates: May 30, Aug 22, Nov 28, Feb 13th 2018 May 31-Jun 2, Aug 23-25, Nov 29-Dec 1, Feb 14th-16th 2018

Format: Live Online: Live Online:

Time US - 9:00 - 5:00 EST/EDT US - 9:00 - 5:00 EST/EDT

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Books, standards, and tools

ISO 27001 Cybersecurity Documentation Toolkit– https://www.itgovernanceusa.com/shop/product/iso-27001-

cybersecurity-documentation-toolkit

Receive 20% off this toolkit when you book a place on any

New York DFS Cybersecurity & ISO 27001 Live Online course

vsRisk™ – risk assessment software– https://www.itgovernanceusa.com/shop/Product/vsrisk-standalone-basic

ISO 27001 standards– ISO/IEC 27001 2013 (ISO 27001 Standard) ISMS Requirements

TM

www.itgoverrnanceusa.com

Copyright IT Governance Ltd 2017 – v1.0

Questions and answers