Everything you ever wanted to know about security policy management, and much more.
The regulations came into effect on March 1st 2017, and their extended requirements came into force last month, mandating relevant organizations to implement security policies to cover their third-party service providers as well as themselves.
If you aren’t too familiar the requirements, time is of the essence.
First, you need to understand precisely which entities come under the new requirements. The regulations apply to every ‘covered entity’, which can be an individual, a partnership, a corporation or an association, and includes commercial banks and trust companies, check cashers, domestic and foreign representative bank offices, health insurers, life insurance companies, money transmitters, mortgage broker, loan originators and loan servicers, property and casualty insurance companies, sales finance companies, and service contract providers.
It’s an extensive list, so if you are unclear as to whether your organization is covered, refer to the full requirements here.
If your organization does fall under the requirements, there are four main areas that you need to act on:
While the list might seem short, the technologies, policies and processes required to comprehensively complete these items can be very complex. Your Cybersecurity Program, for example, should include an element of proactivity, either with continuous monitoring or regular penetration testing and vulnerability assessments. It should cover access controls, ensuring that sensitive information is not easily available, and effective controls such as multi-factor authentication or risk-based authentication should be in place to prevent unauthorized access to nonpublic information and systems. You will need to design and implement risk-based policies, procedures and controls for monitoring user activity, and a written incident response plan should be in place. Of course, everything you do should include a thorough audit trail.
When it comes to creating policy in line with the requirements of the ISO 27001 standard, you must ensure it covers: systems and network security, information security, access controls, disaster recovery planning, customer data privacy and regular risk assessments.
Here, there are two key steps. First, your (potentially newly appointed) Chief Information Security Officer needs to report annually to either your board of directors or a senior officer on the implementation and effectiveness of every element covered above. This report should also include a run-through of any material cybersecurity events.
Second, from there the board of directors a senior officer needs to provide a written statement to the New York State Superintendent of Financial Services certifying that the Cybersecurity Program complies with this regulation.
AlgoSec is well-versed in helping organizations to achieve and maintain compliance with these requirements. By using AlgoSec’s network security policy management solution, organizations can automatically align their network security with the key requirements of ISO 27001 and, crucially, generate a clear and automated audit trail for demonstrating that compliance.
For more details on how AlgoSec can help you address your compliance needs, click here.
Receive notifications of new posts by email.