The New York State Department of Financial Services (DFS) new cybersecurity standard, New York Code Rules and Regulations 500 (NYCRR 500), extends past New York state limits to “subsidiaries or affiliates”. This regulation mandates each institution have a cyber security program, Chief Information Security Officer (CISO), access controls, asset management, data governance, software development practices, annual certification of their compliance, and more. As far as regulatory compliance standards, NYCRR 500 is one of the most well written regulations. Many other regulations like PCI-DSS, HIPAA, SOX, GLBA, etc. can be hard to digest and abide by.
In a previous blog post, 4 Steps to Ensure NYCRR 500 Compliance, Gabriel Gumbs outlines the four key steps to take:
Step 1: Mitigate Toxic Conditions
Identify and clean up stale users, stale computers, and empty and duplicate groups, keeping track of your progress in de-provisioning workflows.
Step 2: Analyze Groups
Identify who is in what group, including sensitive groups—and where groups are nested or have broken group membership (circular nesting). Then, report on and remediate these issues.
Step 3: Uncover Group Grants
Discover where groups have access, and what level of access, so you can map Active Directory to the business structure. This process helps you close down open shares and implement least privileged access to better protect your data and resources.
Step 4: Determine Ownership
Look at all groups and users assigned to them, determine the manager of the resource, and provide information about the owner. This will you to identify, assign, and involve business data managers so they can provision access.
To find out more, visit our NYCRR 500 Solution page.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here: