Ready for the New Global NY DFS Cyber Security Requirements?
New cyber security regulations NY DFS Rule 23 NYCRR 500 take effect March 1, 2017 and are the first such regulations proposed by a state level entity in the nation. The new regulations require cyber security protections to include:
• Cyber security policy (Section 500.3 (a)(7)
• Audit trail (Section 500.06 (a)(2))
• Access privileges (Section 500.07)
• Third-party access controls (Section 500.11 (b)(1))
• Multi-factor authentication (Section 500.12 (b))
• Training and monitoring (Section 500.14 (a)(1))
• Encryption of nonpublic information (Section 500.15 (a)(1))
These regulations will require financial institutions and insurance companies of a certain size to establish and maintain a cyber security program to protect consumers and ensure the safety of those regulated by the Department of Financial Services (DFS). Also, companies that are third party vendors that do business with those entities covered by the DFS regulations will also be required to comply with the standard (as part of the primary company’s vendor due diligence program).
How a Software-Defined Perimeter Addresses the Requirements
A Software-Defined Perimeter ensures that all endpoints attempting to access a given infrastructure are authenticated and authorized prior to being able to access any resources on the network. All unauthorized network resources are made inaccessible. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users.
A Software-Defined Perimeter overcomes the constraints of traditional tools by effectively creating a dynamic, individualized perimeter for each user – a network ‘segment of one’.
Cryptzone’s Software-Defined Perimeter Solution
Cryptzone’s AppGate Software-Defined Perimeter (SDP) solution addresses many of the new NY DFS Rule 23 NYCRR 500 requirements:
- Risk-Based Authentication: In addition to Multi-Factor Authentication, AppGate uses a Risk-Based Authentication (RBA) model, using real-time condition checking to discover changes in users and device attributes, and requiring reauthentication if anomalies or changes are detected. Most traditional user and network access control (NAC) tools do not have RBA as part of their core abilities, while it is a primary tenant of AppGate’s authentication model.
- Granular Access Control: AppGate can be configured to provide granular access control to nonpublic information networks and resources. Even system administrators can be prohibited from accessing certain resources without a trouble ticket or escalated authorization.
- Auditing and Logging: All events managed by AppGate are logged. These logs can be monitored within AppGate, or exported to any enterprise SIEM solution for event correlation and management. These logs can also be used to generate audit evidence of compliance, using the AppGate reporting tool or thirds party reporting system.
Cryptzone can apply the user-centric, policy-based security controls necessary to meet these new requirements uniformly across traditional, cloud or hybrid environments – removing variability, complexity and costs associated with today’s point solutions.
NY DFS Cyber Security Regulation – AppGate Specific Mapping
AppGate addresses seven of the requirements on cyber security policy, audit trails, access privileges, third-party service provider security policy, multi-factor authentication, training and monitoring and encryption of nonpublic information.
For a breakdown of how AppGate’s Software-Defined Perimeter maps to these requirements click here.
You have less than two months – don’t go it alone.