Is Your New York Business Meeting Cybersecurity Requirements?
New Rules Mean You Have to Assess Your Online Risks and Develop and Strong Plan
Effective March 1, 2017, the New York State Department of Financial Services (DFS) implemented cybersecurity regulations for financial organizations operating or doing business in the state of New York. Mandated by the regulation, financial organizations must now regularly assess their online risks, implement a thorough cybersecurity plan (including hiring a CISO), and evaluate the risks that third-party vendors and providers pose to their overall security strategy.
Here’s How Neustar Professional Services Can Help
Here are some of the most significant cybersecurity changes and policy requirements the regulation has mandated to implement by August 28, 2017 that Neustar Professional Services can help with:
- Requirement: Each entity shall conduct a periodic risk assessment of its Information Systems sufficient to inform the design of the cybersecurity program.
- Neustar Solution: The Neustar Professional Services Team will propose processes that can keep your network secure, escalate paths for handling problems, identify and mitigate risks, set up security alerts and make recommendations to secure your infrastructure to meet DFS cybersecurity requirements.
Penetration Testing & Vulnerability Assessments
- Requirement: The cybersecurity program for each entity shall include monitoring and testing, developed in accordance with the entity’s risk assessment, designed to assess the effectiveness of the firm’s cybersecurity program. Penetration Testing shall occur annually, and Vulnerability assessments bi-annually.
- Neustar Solution: As the regulation mandates entities to administer Penetration Testing annually and Vulnerability Assessments bi-annually, our security engineers can perform vulnerability assessments that identify potential security holes, router configuration issues, and other potential problems in real-time. We also allow organizations to schedule multiple scans to first establish a baseline, then to assess the deltas moving forward. Our Penetration Testing services offer more in-depth tests that determine how deep potential vulnerabilities may go with recommendations that meet DFS requirements.
Cybersecurity Personnel, Intelligence & Training
- Requirement: Each entity must utilize qualified cybersecurity personnel, an affiliate or a third party service provider to manage cybersecurity risks and to perform or oversee the performance of the core cybersecurity function along with providing personnel with updates and training to address relevant risks.
- Neustar Solution: Neustar’s Security Engineers are all Certified Ethical Hackers (CEH) from the EC-Council and have provided numerous cybersecurity services to financial organizations within the State of New York. The team has also trained and implemented numerous security awareness trainings, including network, physical, social engineering and industry best practices. The services we provide here do not cover or satisfy requirements to designate a qualified Chief Information Security Officer (CISO).
- Requirement: each covered entity shall limit user access privileges to information systems that provide access to nonpublic information and shall periodically review such access privileges.
- Neustar Solution: Neustar can conduct security assessments that will attempt to bypass Network Access Controls (i.e. 802.1x, port security, etc.) implemented to prevent rogue systems from accessing customer’s network(s) and then provide a report with identified gaps and best practices.
- Requirement: Each entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications, and procedures for evaluating, assessing or testing the security of externally developed applications.
- Neustar Solution: Our team will conduct a comprehensive security assessment of the scoped web applications and will use specialized tools for web application vulnerability scanning, which will assist in finding the majority of vulnerabilities to provide a foundation for discovering complex flaws through manual testing. We will then attempt to maintain access to compromised systems, identify sensitive information and pivot to extend penetration testing to other areas of the network.
- Requirement: Each entity shall implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third party service providers.
- Neustar Solution: Our Professional Services team will assist in the development or review of information security policies and procedures specific to third party relationships. Additionally, our team will collaborate with third party vendors/partners to confirm compliance, identify best practices for data transfer and storage and facilitate the most effective/seamless information security program possible.
Incident Response Plan & Notifications
- Requirement: Each entity shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event materially affecting the confidentiality, integrity or availability of the covered entity’s information systems or the continuing functionality of any aspect of the covered entity’s business or operations.
- Neustar Solution: Our Professional Services team offers Technical Account Management (TAM) in which dedicated engineers will deliver personalized services to meet your business needs. Whether it’s reporting to DFS of an event or documenting changes per the requirement, our Professional Services Team will work diligently to deliver against the requirements set forth by the regulation.