The New York State Department of Financial Services (NYDFS) has defined Title 23 Part 500 of the Official Compilation of Codes, Rules and Regulations of the State of New York (NYCRR), covering minimum cybersecurity standards designed to promote the protection of customer information and the IT systems of financial entities operating in NY state. This comprehensive regulation is a standard against which to measure the effectiveness of cybersecurity infrastructure, personnel, policies, risk assessments, and audits, ensuring that organizations keep pace with technological advancements.

RedLegg offers multiple solutions to meet 23 NYCRR 500 requirements.  The various solutions adapt to meet the needs of your organization’s size and current security posture.

• Enterprise Security Assessment – A multi-phased approach designed to provide a holistic evaluation of security posture and risk, including review of regulatory compliance, security controls, internal and external vulnerabilities, secure code, and social engineering vulnerability.
• vCISO – A Digital Strategic Security Program (virtual CISO) that enables small- and medium-sized organizations (SMBs) to leverage the expertise of an experienced cybersecurity team while minimizing time and resource investments.
• Policy Framework Development – A document development methodology focusing on standards, guidelines, policies, and procedures that inform users of their responsibilities, define the security protection program, and implement appropriate protection initiatives.
• Application Security – A methodology, based on proven industry best practices, to determine whether your organization’s applications are secure, including network review, system testing, application testing (threat modeling and secure code review), risk analysis, and IoT configuration review (if needed).
• Secure Code Review – A process for assessing the risks to your applications, including review of customer-specific applications and verifying code, line-by-line, to ensure that every aspect is secure.
• Penetration Testing – A determination of exposure to risk and vulnerabilities as well as the identification, definition, and creation of a specific, actionable remediation plan, including internal testing (threat vulnerabilities of your internal resources) and external testing (vulnerabilities in your systems due to actors outside your security perimeter).

The following table lists the RedLegg solutions that address the NYDFS:

The Federal Financial Institutions Examination Council (FFIEC) is a federal interagency body, comprised of five (5) regulatory agencies plus a state liaison committee, that provides government oversight of US financial institutions.  FFIEC prescribes cybersecurity standards to reduce vulnerability in the financial industry, including third-party service providers.  Compliance with the guidelines requires comprehensive internal assessment and solutions implementation, including ongoing risk assessments, to identify security weaknesses and address threats.

Cybersecurity Assessment Tool

The FFIEC Cybersecurity and Critical Infrastructure Working Group has created a Cybersecurity Assessment Tool that “provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time”.  The assessment tool maps to the NIST Cybersecurity Framework and consists of two (2) parts: Inherent Risk Profile and Cybersecurity Maturity.

Inherent Risk Profile

The Inherent Risk Profile enables financial institution managers to identify inherent organizational risk (least, minimal, moderate, significant, or most), absent implemented controls.  The profile assesses five (5) main categories, with the number of items assessed for each:

• Technologies and Connection Types (14)
• Delivery Channels (3)
• Online/Mobile Products and Technology Services (14)
• Organizational Characteristics (7)
• External Threats (1)

Cybersecurity Maturity

The Cybersecurity Maturity portion of the assessment covers “domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices”.  Institution managers evaluate organizational maturity level (baseline, evolving, intermediate, advanced, and innovative) across each of five (5) major domains:

• Cyber Risk Management and Oversight
• Threat Intelligence and Collaboration
• Cybersecurity Controls
• External Dependency Management
• Cyber Incident Management and Resilience

Go deeper into our GDPR-related services here!

The NIST Cybersecurity Framework (CSF) was first published by the National Institute of Standards and Technology, an agency of the US Department of Commerce, in 2014.  It provides taxonomy and methodology to proactively manage and reduce risk in the cybersecurity infrastructure.  Organizations use this framework in tandem with an assessment of the specific threats and security challenges they face.  While compliance with the framework is voluntary, some organizations require that their vendors do comply, and regulators are calling for compliance, including the Federal Financial Institutions Examination Council (FFIEC).

Implementation Categories

The NIST CSF focuses on the business drivers that guide cybersecurity efficacy and includes cybersecurity risks as part of an organization’s management processes, including core, profile, and implementation categories:

• Core – Consists of five (5) main functions: Identify, Protect, Detect, Respond, and Recover, with multiple subcategories addressing cybersecurity outcomes and controls.
• Profile – Typically split into Current and Target Profiles, defines an organization’s baseline security and the required final configuration and outcomes, based on assessment and tailoring of critical infrastructure and processes.
• Tiers – Aids in clarifying and communicating cybersecurity implementation across an organization.

(Source:  https://www.nist.gov/document-3764: 01/11/2018.)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions, and to protect cardholders against misuse of their personal information.

The PCI Security Standards Council is a global organization that maintains, evolves, and promotes Payment Card Industry standards for the safety of cardholder data across the globe.  The Council was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa, Inc.  They share equally in governance and execution of the Council's work.

The following table lists the high-level requirements used in PCI gap assessments:

(Source:  PCI DSS Requirements and Security Assessment Procedures, v3.2 April 2016: p.5.)