I was going to review Governor Andrew Cuomo's Department of Financial Services as it pertained to "new" security regulations for chartered banks in New York State. The Superintendent of the Department of Financial Services initiated a press release and letter to chartered New York financial institutions. After reviewing the memo I concluded that if all companies implemented the items in the Superintendent's letter, the public and private industries would be in a much better place.
Then late yesterday the FFIEC (federal financial institutions examination council) OCC (Office of the Comptroller of Currency) spokesman Joel Anderson spoke up. Mr Anderson responding in a interview in American Banking Magazine stated, "we already do this" and what's going on in New York is nothing new.
This is what New York DFS said they would look for:
New Rules: NYS
- Corporate governance, including organization and reporting structure for cyber security related issues;
- Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;
- Resources devoted to information security and overall risk management;
- The risks posed by shared infrastructure;
- Protections against intrusion including multi-factor or adaptive authentication and server and database configurations;
- Information security testing and monitoring, including penetration testing;
- Incident detection and response process, including monitoring;
- Training of information security professionals as well as all other personnel;
- Management of third-party service providers;
- Integration of information security into business continuity and disaster recovery policies;
- Cyber security insurance coverage and other third party protections
New York State then went on to list more topics which chartered banks in NYS would be expected to furnish. We list them here for your review:
1. Provide the CV and job description of the current Chief lnformation Security Officer or the individual otherwise responsible for information security, describe that individual's information security training and experience, and identify all reporting lines for that individual, including all committees and managers. In addition, provide an organization chart for your institution's IT and information security functions.
2. Describe the extent to which your institution maintains information security policies and procedures designed to address the information security goals of confidentiality, integrity, and availability. Provide copies of all such information security policies.
3. Describe how data classification is integrated into information risk management policies and procedures.
4. Describe your institution's vulnerability management program as applicable to servers, endpoints, mobile devices, network devices, systems, and applications.
5. Describe the organization's patch management program including how updates, patches, and fixes are obtained and disseminated, whether processes are manual or automated, and how often they occur.
6. Describe identity and access management systems employed by the organization for both internal and external users, including all administrative, logical, and physical controls and whether such controls are preventive, detective, or corrective in nature.
7. Identify and describe the current use of multi-factor authentication for any systems or applications.
8. Describe your institution's due diligence process regarding information security practices that is used in vetting, selecting, and monitoring third-party service providers.
9. Describe all application development standards utilized by the organization, including the use of a secure software development life cycle, and the extent to which security and privacy requirements are assessed and incorporated into the initial phases of the application development process.
10. Provide a copy of, to the extent it exists in writing, or otherwise describe, the organization's incident response program, including how incidents are reported, escalated, and remediated.
11. Describe the extent to which information security is incorporated into the organization's BCP/DR plan, how and how often the BCP/DR is tested, and the results of the most recent test.
12. Describe any significant changes to the institution's IT portfolio over the last 24 months resulting from mergers, acquisitions, or the addition of new business lines.
It is a positive step forward for New York State Department of Financial Services to require its chartered financial institutions to meet minimum guidelines for the security of its information technology processes. These security baselines are critically important not just to financial services institutions but to all public and private entities. Since NYS has published these official rules it should now become the benchmark or de facto standard by which all other organizations are measured against. These rules are appropriate and an outstanding starting point for any one who is not sure where to start.
The federal government provides an seemingly endless amount of guidance for the protection of information technology assets. The fed's use the NIST framework and numerous NIST publications to assist everyone involved in the security of IT assets. The federal regulators have been the go to professionals in the banking space for establishing standards so its not unusual to hear from Mr. Anderson of OCC or any of the regulators who are apart of the FFIEC.
What is the news with this New York letter? The federal regulators often calibrate their examinations according asset size. Thus larger institutions receive more intense evaluation then smaller organizations. However, New York has a very specific set of rules in which every institution must be prepared to comply with. This is not a little matter and could have significant cost ramifications.
Lastly, I have for years heard from administrators, mangers and CISO's who have tried to get budget authority to make the purchases necessary to secure their environments. I am suggesting that security personnel use the NYS standards to present to CFO's as justification for future purchases.