Navigating NY DFS Part 500.07: Access Privileges

This section requires that covered entities limit use access privileges to information systems that provide access to nonpublic information. Further, these access privileges must be periodically reviewed.

This is the shortest section of NY DFS 500, at one sentence long. There are no specific requirements set forth with regards to access privileges, other than they ‘limit’ access. From a cybersecurity perspective, the general rule when assigning access privileges is to follow the Principle of Least Privilege…

Navigating NY DFS Part 500.04: Chief Information Security Officer

This section’s goal is to assign accountability and ensure awareness of the status of the covered entity’s cybersecurity program is regularly sent up the chain of command. Reports may include any changes or additions to cybersecurity policy or procedure, results of security assessments, security breaches, potential security risks, updates regarding compliance with applicable cybersecurity law, etc…

Navigating NY DFS Part 500.02: Cybersecurity Program

The requirements under NY DFS Section 500.02 are some of the most general within the entire regulation. This section requires the implementation of a cybersecurity program by the covered entity. The goal of the cybersecurity program is to protect the confidentiality, integrity, and availability of the covered entity’s information systems. See 23 NYCRR § 500.02(a). The words, “confidentiality, integrity, and availability”, sometimes referred to as the “CIA triad” or “AIC triad” within the cybersecurity community, is a model used to guide policies for information security…

Navigating NY DFS Part 500.03: Cybersecurity Policy

NY DFS Section 500.03 requires the covered entity to implement and maintain policies and procedures related to the protection of the covered entity’s information systems and nonpublic information stored therein. Said policies and procedures shall be based on the covered entity’s risk assessment and address the following areas to the extent applicable to the covered entity’s operations…