The NYC500 takes effect March 1st, 2017.
It involves an evaluation, program & policy implementation, new roles, and constant evaluation.
Each Covered Entity must implement and maintain a written policy approved by a Senior Officer or Board of Directors.
This policy must address the organization’s policies and procedures for the protections of Information Systems and the Nonpublic Information stored on these Information Systems.
Cybersecurity policies will be based on the organization’s Risk Assessment and address 14 key areas:
1. Information Security
Information security is the process by which information and information systems are protected from unauthorized access, disclosure, use, disruption, modification or destruction.
How will your organization ensure the confidentiality, integrity and availability of its Information Systems and the Nonpublic Information stored on these systems?
2. Data Governance and Classification
Data Governance is a set of processes that ensure the proper management of data throughout a Covered Entity while data classification refers to the process of organizing data assets.
How will your business categorize and manage Nonpublic Information?
3. Asset Inventory and Device Management
Asset inventory and device management involves identifying, cataloging and maintaining software, hardware and contracts throughout their entire lifecycle.
What steps will your organization need to take to ensure thorough and accurate asset inventory and device management?
4. Access Controls and Identity Management
Access Control is a way of regulating who or what can use or view Nonpublic Information. The two main types of Access Control are Physical and Logical. Physical Access Control refers to limiting access to physical locations (buildings, servers etc.) while Logical Access Control refers to limiting connection to Information Systems and Nonpublic information.
Identity Management involves identifying individuals within a system and authorizing or restricting access to those individuals based on their established identity.
How will your organization manage identity and access controls across physical and logical systems?
5. Business Continuity and Disaster Recovery Planning and Resources
Business Continuity planning refers to the policies and procedures an organization must put in place prior to a breach to ensure that critical business functions can continue in the wake of a Cybersecurity Event.
Disaster Recovery planning is a comprehensive set of policies and procedures specifying the actions that need to be taken throughout each step of the Cybersecurity Event lifecycle; before during and after a disaster.
What steps will your organization take to ensure that your business continuity and disaster recovery plans include policies and procedures that outline specific actions and responsibilities before, during and after a Cybersecurity Event?
How will your company allocate its resources to respond in the wake of a Cybersecurity Event?
6. Systems Operations and Availability Concerns
Systems Operations generally involve three categories: day to day procedures and system maintenance, review of error logs/responding to day-to-day issues, and finally ‘end of period’ procedures including backup of key data across the systems.
Availability concerns center around the disruption of System Operations and the corresponding downtime of Information Systems.
Reliability, Availability and Serviceability, or RAS, is a term first coined by IBM when defining specifications for their hardware. Now RAS is a useful set of attributes that apply to hardware, software and Information Systems as a whole.
How will your organization maintain the RAS of its systems operations and address availability concerns?
7. Systems and Network Security
System and Network Security refers to any activity, policy, or procedure designed to protect the integrity and confidentiality of your data. Effective Network Security manages network access and protects Information Systems from unauthorized access, misuse or malfunction.
What steps will your organization take to ensure enterprise-wide systems and network security?
8. Systems and Network Monitoring
An integral component of Network Management, Systems and Network Monitoring involves scanning the network for potential connection problems, overloaded servers and network traffic issues. Network Monitoring can also include intrusion detection which involves monitoring systems for outside attacks.
What policies and procedures does you organization need to have in place in order to effectively monitor Information Systems and Networks?
Who will oversee this continuous monitoring?
9. Systems and Application Development and Quality Assurance
Systems and Application Development and Quality Assurance refers to the policies and procedures utilized to shore up vulnerabilities in an organization’s software, hardware and processes exploited by attackers to infiltrate Information Systems.
What policies and procedures does your business have in place to ensure the quality and security of software, applications, hardware and processes across all Information Systems?
10. Physical Security and Environmental Controls
Physical and environmental controls refer to physical access of Information Systems or environments where Nonpublic Information resides or may be accessed. Verifying individual access before granting access, maintaining physical access audit logs, securing keys and changing combinations or keys when an individual is terminated are examples of important Physical Security and Environmental Controls.
What steps will your organization need to take in order to demonstrate adequate Physical Security and Environmental Controls?
11. Customer Data Privacy
Customer Data Privacy refers to the handling and protection of Nonpublic customer data. An organization must protect the confidentiality, integrity, and availability of its Information Systems and Nonpublic Information stored on these Information Systems. Securing data inventory across all systems and devices is crucial to protecting customer data privacy.
What policies and procedures will your organization put in place to protect Customer Data Privacy?
12. Vendor and Third Party Service Provider Management
Vendor and Third Party Service Provider (3PSP) Management must ensure that vendors with access to Information Systems and Non Public Information are implementing Cybersecurity policies mirroring that of the covered entity.
How will your organization ensure that 3PSPs and vendors are implementing adequate data privacy policies and procedures?
What steps will you take to continuously monitor their access to your Information Systems?
13. Risk Assessment
Organizations must carry out periodic Risk Assessments with the goal of monitoring & evaluating the design of the Cybersecurity Program. This Risk Assessment shall allow for revision of control to respond to technological developments and evolving threats.
Risk Assessments must also consider organizations particular cybersecurity risks, the Nonpublic Information stored, Information Systems utilized and the availability and effectiveness of controls in place to protect Nonpublic Information and Information Systems.
How will your organization establish criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the organization?
What criteria will your organization use to establish the adequacy of controls and integrity, security and availability of Information Systems and Nonpublic Information?
14. Incident Response
Each organization must establish written policies and procedures to respond to and recover from any Cybersecurity Event that materially effects the confidentiality, integrity, or availability of Information Systems or functionality of business operations.
An Incident Response Plan must address internal processes for responding to a Cybersecurity Event, the definition of clear roles, responsibilities, and levels of decision-making authority, incident response goals, communication and information sharing responsibilities, identification of remediation requirements, documentation and reporting of events, and evaluation and revision as necessary.
What is your organization’s current incident response plan?
How will your organization ensure the effectiveness of your incident response plan?
A Senior Officer or Board of Directors must put all of these policies in place to be compliant under the NYC500.
They must address the organization’s policies and procedures for the protections of Information Systems and the Nonpublic Information stored on these Information Systems.