New York Cybersecurity 23 NYCRR 500 Services
We can make 23 NYCRR 500 compliance easier.
NuHarbor Security offers services and products that help you meet compliance with New York’s 23 NYCRR 500. Whether you’re working towards compliance, or just reading the regulations for the first time, we can help. Our information security consultants have helped organizations large and small.
23 NYCRR 500 Compliance Assessments
As part of our NYCRR compliance assessments we assist in identifying which areas of NYCRR are strong areas and which are opportunities for improvement. For any areas of opportunity we develop a list of recommendation to support your team in remediating any compliance or security short comings.
23 NYCRR 500 Advisory
Our NYCRR advisory services are perfect for tough to solve NYCRR questions. This may include working through IT and Security architectural challenges, deployment of supporting access models, use of Multi-Factor Authentication with many agents, or just simply implementing policy.
Related Documents
Recent Blog Posts
The Difference Between a Controls Assessment and a Risk Assessment
By: Kristof Holm We’ve written several blogs on risk assessments and controls assessments. However, these two terms are often co-mingled, used interchangeably, or incorrectly. Unfortunately, it’s very easy to do this and often if we aren’t careful even professionals...
23 NYCRR 500 Security Services Alignment:
| REQUIREMENT | HOW WE HELP |
|---|---|
| 500.02 Cyber Security Program | |
| (a) Cybersecurity Program. Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems. | Security Program Assessment |
| (b) The cybersecurity program shall be based on the Covered Entity’s Risk Assessment and designed to perform core cybersecurity functions. | Risk Assessment Services
Incident Response Planning |
| (c) A Covered Entity may meet the requirement(s) of this Part by adopting the relevant and applicable provisions of a cybersecurity program maintained by an Affiliate, provided that such provisions satisfy the requirements of this Part, as applicable to the Covered Entity. | NuHarbor Security Managed Services |
| (d) All documentation and information relevant to the Covered Entity’s cybersecurity program shall be made available to the superintendent upon request. | Customer defined |
| 500.03 Cybersecurity Policy | |
| Cybersecurity Policy. Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems. | Policy Review
Policy Development |
| 500.04 CISO | |
| (a) Chief Information Security Officer. Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”). The CISO may be employed by the Covered Entity, one of its Affiliates or a Third Party Service Provider. | On Demand CISO |
| (b) Report. The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a Senior Officer of the Covered Entity responsible for the Covered Entity’s cybersecurity program. The CISO shall report on the Covered Entity’s cybersecurity program and material cybersecurity risks. | On Demand CISO |
| 500.05 Penetration Testing and Vulnerability Assessments | |
| (a) annual Penetration Testing of the Covered Entity’s Information Systems determined each given year based on relevant identified risks in accordance with the Risk Assessment | Infrastructure Penetration Testing
Application Penetration Testing |
| (b) bi-annual vulnerability assessments, including any systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the Covered Entity’s Information Systems based on the Risk Assessment. | Vulnerability Scanning Services |
| 500.06 Audit Trail | |
| (a) Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its Risk Assessment. | NuHarbor Security Managed Services |
| (b) Each Covered Entity shall maintain records required by section 500.06(a)(1) of this Part for not fewer than five years and shall maintain records required by section 500.06(a)(2) of this Part for not fewer than three years. | NuHarbor Security Managed Services |
| 500.07 Access Privileges | |
| As part of its cybersecurity program, based on the Covered Entity’s Risk Assessment each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges. | NuHarbor Security Identity and Access Management Partner |
| 500.08 Application Security | |
| (a) Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment. | Policy Development Services
Web Application Penetration Testing |
| (b) All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity. | On Demand CISO |
| 500.09 Risk Assessment | |
| (a) Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. Such Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity’s Information Systems, Nonpublic Information or business operations. | Risk Assessment Services |
| (b) The Risk Assessment shall be carried out in accordance with written policies and procedures and shall be documented. | Risk Assessment Services |
| 500.10 Cybersecurity Personnel and Intelligence | |
| (a) Cybersecurity Personnel and Intelligence. In addition to the requirements set forth in section 500.04(a) of this Part, each Covered Entity shall (Perform additional steps under this requirement) | NuHarbor Security Managed Services |
| (b) A Covered Entity may choose to utilize an Affiliate or qualified Third Party Service Provider to assist in complying with the requirements set forth in this Part, subject to the requirements set forth in section 500.11 of this Part. | NuHarbor Security Managed Services |
| 500.11 Third Party Service Provider Security Policy | |
| (a) Third Party Service Provider Policy. Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible 8 to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable. | Security Policy Services |
| (b) Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers including to the extent applicable guidelines. | Security Policy Services |
| (c) Limited Exception. An agent, employee, representative or designee of a Covered Entity who is itself a Covered Entity need not develop its own Third Party Information Security Policy pursuant to this section if the agent, employee, representative or designee follows the policy of the Covered Entity that is required to comply with this Part. | Vendor Managed Services |
| 500.12 Multi-Factor Authentication | |
| (a) Multi-Factor Authentication. Based on its Risk Assessment, each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems. | NuHarbor Multi-factor Authentication Partner |
| (b) Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls. | NuHarbor Multi-factor Authentication Partner |
| 500.13 Limitations on Data Retention | |
| As part of its cybersecurity program, each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information identified in section 500.01(g)(2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. | Customer Directed |
| 500.14 Training and Monitoring | |
| (a) implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users. | NuHarbor Security Managed Services |
| (b) provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment. | NuHarbor Security Awareness Partner |
| 500.15 Encryption of Non Public Information | |
| (a) As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest. | Customer Directed |
| (b) To the extent that a Covered Entity is utilizing compensating controls under (a) above, the feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually. | On Demand CISO |
| 500.16 Incident Response Plan | |
| (a) As part of its cybersecurity program, each Covered Entity shall establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event materially affecting the confidentiality, integrity or availability of the Covered Entity’s Information Systems or the continuing functionality of any aspect of the Covered Entity’s business or operations. | Incident Response Plan Development |