The financial industry is a prime target of cyber attacks. To keep pace with new threats, new regulations must be created. As of March 1, New York is the first state to implement regulations specific to cybersecurity. With 23 NYCRR 500, New York State Department of Financial Services has established minimum standards to ensure that the industry maintains suitable levels of protection. In our previous post, our Director of Operations outlined these new requirements. Today, let’s examine a foundational piece of cybersecurity programs: policy and procedure.
An Essential Piece to the Puzzle
All compliance documents are based on frameworks. Frameworks begin with basic policy and procedure. Information security compliance frameworks consist of controls grouped by control families to guide security best practice. By writing your own policies and procedures based on these best practices, you turn a framework into real-life actions and decisions to protect information within your organization. Once complete, a Senior Officer or Board of Directors must approve the set.
23 NYCRR 500 requires organizations to address the following control categories in their policy and procedure documents:
- Information security
- Data governance and classification
- Asset inventory and device management
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Systems operations and availability concerns
- Systems and network security
- Systems and network monitoring
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and third party service provider management
- Risk assessment
- Incident response
The mother of all information security compliance frameworks—NIST 800-53—begins each control category with an evaluation of current policies, the “dash 1’s”. These require your organization to address purpose, scope, roles, responsibilities, management commitment, and coordination within your policies. The “dash-1’s” also detail the implementation of policies and procedures. For example, policies should be reviewed and updated every three years, and procedures should be evaluated annually, if not more often.
So, where to begin? Risk assessment is an excellent starting point in your creation of policies and procedures. A risk assessment identifies gaps and tags risks. It can guide your policy and procedure creation while illustrating your the next steps towards compliance.
Trying is half the battle
Auditors look for best effort in this process. Most organizations will not comply with every control category in the book! Developing a Plan of Action and Milestones (POAM) documents remedial action plans while prioritizing and monitoring progress on the gaps identified during the Risk Assessment phase.
In Conclusion…
So, when was your last assessment? Was the output actionable? Developing policy relevant to your organization while meeting requirements can be challenging. Choosing a strong security partner can prepare you for the road ahead. Who better to help you than a team of security professionals who have one eye on the present and one on the future?
For more information, you can reach us here. In our next post, we will talk about the significance of vendor management programs and what this topic looks like through the lens of the new legislation created by New York State Department of Financial Services -- stay tuned!
