What is NYCRR 500?
On March 1st, 2017, the New York State Department of Financial Services put into effect new cybersecurity requirements of its ‘covered entities’. Those entities include banks, trusts, budget planners, check cashers, credit unions, money transmitters, licensed lenders, mortgage brokers or bankers, and insurance companies that do business in New York.
Within the next 180 days (starting from March 1st 2017), organizations must ensure they have a comprehensive Cybersecurity Program in place, supported by written and implemented Cybersecurity Policies. They also need to limit user access privileges to Information Systems providing access to “Nonpublic Information”. Over the course of the next 12 months full compliance with NYCRR 500 is mandatory, requiring the Chairperson of the Board or Senior Officer of the company is required to sign and file a Certificate of Compliance.
| Section | Title | Transition Period | |||
|---|---|---|---|---|---|
| 180-Days | 12-Months | 18-Months | 24-Months | ||
| 500.02 | Cybersecurity Program | ✔ | |||
| 500.03 | Cybersecurity Policy | ✔ | |||
| 500.04 | Chief Information Security Officer | ✔ | |||
| 500.06 | Audit Trail | ✔ | |||
| 500.07 | Access Privileges | ✔ | |||
| 500.09 | Risk Assessment | ✔ | |||
| 500.13 | Limitations on Data Retention | ✔ | |||
Today I want to focus on what is arguably one of the most important sections, access privileges to Information Systems providing access to “Nonpublic Information”. For many organizations, Active Directory (AD) is the solution that provides privileged access to Nonpublic information. The problem is, it’s become difficult to manage due to many reasons. For example, a migrated directory is inherited from another technology managed by a large number of people with no defined process for day-to-day operations. Unfortunately to those involved in managing AD, cleaning it up may sound like a novel idea, but the potential to introduce unknown problems into the equation proved to be a great barrier in beginning the process. Nonetheless, with the introduction of NYCRR 500, organizations have to tackle this challenge.
How Can You Accomplish This?
Here are 4 steps for ensuring NYCRR 500 compliance:
Step 1: Mitigate Toxic Conditions
Identify and clean up stale users, stale computers, and empty and duplicate groups, keeping track of your progress in de-provisioning workflows.
Step 2: Analyze Groups
Identify who is in what group, including sensitive groups—and where groups are nested or have broken group membership (circular nesting). Then, report on and remediate these issues.
Step 3: Uncover Group Grants
Discover where groups have access, and what level of access, so you can map Active Directory to the business structure. This process helps you close down open shares and implement least privileged access to better protect your data and resources.
Step 4: Determine Ownership
Look at all groups and users assigned to them, determine the manager of the resource, and provide information about the owner. This will you to identify, assign, and involve business data managers so they can provision access.
How Can STEALTHbits Help Achieve NYCRR 500 Compliance?
STEALTHbits can automate the reporting that accompanies every audit and put effective controls in place to ensure those reports have only the news you want your auditor to see.
Find out more by visiting our NYCRR 500 Solution page.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Gabriel Gumbs is the VP of Product Strategy at STEALTHbits Technologies responsible for end-to-end product vision and innovation. With a 16 year tenure in CyberSecurity, he has spent most of that time as a security practitioner, aligning security innovations with business objectives for Fortune 100 organizations. Gabriel is an information security thought leader, privacy advocate and public speaker.
Related Posts
- Sensitive Data Discovery for Compliance
- Using The Azure Information Protection (AIP) Scanner to Discover Sensitive Data
- Advanced Data Security Features for Azure SQL- Part 1: Data Discovery & Classification
- How to Protect Office 365 by Classifying Your Data with Microsoft’s AIP Labels
- 2019 Verizon DBIR Key Findings
- 5 Cybersecurity Trends for 2019
- EU GDPR: Paving the Way for New Privacy Laws?
- Announcing Stealthbits Activity Monitor 3.0 & StealthINTERCEPT 5.1
- Key Take Aways from the Ponemon 2018 Cost of Insider Threats Report
- Where Real Organizations Are with EU GDPR 10 Days from Launch
Leave a Reply