Syracuse, NY

The financial industry is a prime target of cyber attacks. To keep pace with new threats, new regulations must be created. As of March 1, New York is the first state to implement regulations specific to cybersecurity. With 23 NYCRR 500, New York State Department of Financial Services has established minimum standards to ensure that the industry maintains suitable levels of protection. In our previous post, our Director of Operations outlined these new requirements. Today, let’s examine a foundational piece of cybersecurity programs: policy and procedure.

An Essential Piece to the Puzzle

All compliance documents are based on frameworks. Frameworks begin with basic policy and procedure. Information security compliance frameworks consist of controls grouped by control families to guide security best practice. By writing your own policies and procedures based on these best practices, you turn a framework into real-life actions and decisions to protect information within your organization. Once complete, a Senior Officer or Board of Directors must approve the set.

Policy and Procedure

23 NYCRR 500 requires organizations to address the following control categories in their policy and procedure documents:

  • Information security
  • Data governance and classification
  • Asset inventory and device management
  • Access controls and identity management
  • Business continuity and disaster recovery planning and resources
  • Systems operations and availability concerns
  • Systems and network security
  • Systems and network monitoring
  • Systems and application development and quality assurance
  • Physical security and environmental controls
  • Customer data privacy
  • Vendor and third party service provider management
  • Risk assessment
  • Incident response

The mother of all information security compliance frameworks—NIST 800-53—begins each control category with an evaluation of current policies, the “dash 1’s”. These require your organization to address purpose, scope, roles, responsibilities, management commitment, and coordination within your policies. The “dash-1’s” also detail the implementation of policies and procedures. For example, policies should be reviewed and updated every three years, and procedures should be evaluated annually, if not more often.

So, where to begin? Risk assessment is an excellent starting point in your creation of policies and procedures. A risk assessment identifies gaps and tags risks. It can guide your policy and procedure creation while illustrating your the next steps towards compliance.

Trying is half the battle

Auditors look for best effort in this process. Most organizations will not comply with every control category in the book! Developing a Plan of Action and Milestones (POAM) documents remedial action plans while prioritizing and monitoring progress on the gaps identified during the Risk Assessment phase.

In Conclusion…

So, when was your last assessment? Was the output actionable? Developing policy relevant to your organization while meeting requirements can be challenging. Choosing a strong security partner can prepare you for the road ahead. Who better to help you than a team of security professionals who have one eye on the present and one on the future?

For more information, you can reach us here. In our next post, we will talk about the significance of vendor management programs and what this topic looks like through the lens of the new legislation created by New York State Department of Financial Servicesstay tuned!

Luc Martin

Luc Martin

Business Development & Marketing Strategist

Luc lives in Vermont and works for clients in the Northern New England region. He began his tenure as an intern while at the University of Vermont. With experience in client relationships and a degree in marketing , Luc shares NuHarbor’s services both online and person to person. He works with a wide array of public and private organizations to address security initiatives. In the winter, Luc is likely either playing pond hockey or skiing.

Follow us on Social Media for more information: