4 Steps to Ensure NYCRR 500 Compliance

4 Steps to Ensure NYCRR 500 Compliance

On March 1st, 2017, the New York State Department of Financial Services put into effect new cybersecurity requirements of its ‘covered entities’. Those entities include banks, trusts, budget planners, check cashers, credit unions, money transmitters, licensed lenders, mortgage brokers or bankers, and insurance companies that do business in New York.

Within the next 180 days (starting from March 1st 2017), organizations must ensure they have a comprehensive Cybersecurity Program in place, supported by written and implemented Cybersecurity Policies. They also need to limit user access privileges to Information Systems providing access to “Nonpublic Information”. Over the course of the next 12 months full compliance with NYCRR 500 is mandatory, requiring the Chairperson of the Board or Senior Officer of the company is required to sign and file a Certificate of Compliance.

Section Title Transition Period
180-Days 12-Months 18-Months 24-Months
500.02 Cybersecurity Program
500.03 Cybersecurity Policy
500.04 Chief Information Security Officer
500.06 Audit Trail
500.07 Access Privileges
500.09 Risk Assessment
500.13 Limitations on Data Retention

 

Today I want to focus on what is arguably one of the most important sections, access privileges to Information Systems providing access to “Nonpublic Information”. For many organizations, Active Directory (AD) is the solution that provides privileged access to Nonpublic information. The problem is, it’s become difficult to manage due to many reasons. For example, a migrated directory is inherited from another technology managed by a large number of people with no defined process for day-to-day operations. Unfortunately to those involved in managing AD, cleaning it up may sound like a novel idea, but the potential to introduce unknown problems into the equation proved to be a great barrier in beginning the process. Nonetheless, with the introduction of NYCRR 500, organizations have to tackle this challenge.

How can you accomplish this?

Here are 4 steps for ensuring compliance:

Step 1: Mitigate Toxic Conditions

Identify and clean up stale users, stale computers, and empty and duplicate groups, keeping track of your progress in de-provisioning workflows.

Step 2: Analyze Groups

Identify who is in what group, including sensitive groups—and where groups are nested or have broken group membership (circular nesting). Then, report on and remediate these issues.

Step 3: Uncover Group Grants

Discover where groups have access, and what level of access, so you can map Active Directory to the business structure. This process helps you close down open shares and implement least privileged access to better protect your data and resources.

Step 4: Determine Ownership

Look at all groups and users assigned to them, determine the manager of the resource, and provide information about the owner. This will you to identify, assign, and involve business data managers so they can provision access.

How can STEALTHbits help?

Find out more by visiting our NYCRR 500 Solution page.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Gabriel Gumbs is the VP of Product Strategy at STEALTHbits Technologies responsible for end-to-end product vision and innovation. With a 16 year tenure in CyberSecurity, he has spent most of that time as a security practitioner, aligning security innovations with business objectives for Fortune 100 organizations. Gabriel is an information security thought leader, privacy advocate and public speaker.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.