New York State Dept of Financial Services Title 23 NYCRR Part 500 Compliance Automation Suite
The NY DFS Compliance Automation Suite provides pre-bundled Investigations, Correlation Rules, Alarms, and Reports that are designed to support core cybersecurity requirements for financial services companies as defined by New York State Department of Financial Services Title 23 NYCRR Part 500. This pre-bundled content is automatically associated with the correct NY DFS control objectives that are supported by LogRhythm Enterprise. Various lists are also available, some of which are preconfigured and others that can be catered to your environment, processes, and system classifications.
Of the 16 substantive and auditable controls, LogRhythm SIEM supports 10 of those controls as a mitigating control, compensating control, and through general SIEM functionality. LogRhythm’s core set of content offered through the Consolidated Compliance Framework (CCF) is mapped to NY DFS controls, offering a streamlined approach to compliance through SIEM technology. LogRhythm SIEM technology and content align with the NY DFS core objectives of identifying and assessing, protecting, detecting, responding, recovering, and fulfilling. Keep in mind that the degree of support varies based on an organization’s control design and interpretation.
The breakdown of LogRhythm support is as follows:
Section | Section Description | LR Augment Ability |
|---|---|---|
500.00 | Introduction | N/A (Policy Statement) |
500.01 | Definitions | N/A (Policy Statement) |
500.02 | Cybersecurity Program | Augment |
500.03 | Cybersecurity Policy | N/A (Policy Statement) |
500.04 | Chief Information Security Officer | N/A (Policy Statement) |
500.05 | Penetration Testing and Vulnerability Assessments | Augmented |
500.06 | Audit Trail | Augmented |
500.07 | Access Privileges | Augmented |
500.08 | Application Security | Not Augmented |
500.09 | Risk Assessment | Augmented |
500.10 | Cybersecurity Personnel and Intelligence | Not Augmented |
500.11 | Third-Party Service Provider Security Policy | Augmented |
500.12 | Multi-Factor Authentication | Not Augmented |
500.13 | Limitations on Data Retention | Augmented |
500.14 | Training and Monitoring | Part A – Augmented Part B – Not Augmented |
500.15 | Encryption of Nonpublic Information | Augmented |
500.16 | Incident Response Plan | Augmented |
500.17 | Notices to Superintendent | Augmented |
500.18 | Confidentiality | N/A (Policy Statement) |
500.19 | Exemptions | N/A (Policy Statement) |
500.20 | Enforcement | N/A (Policy Statement) |
500.21 | Effective Date | N/A (Policy Statement) |
500.22 | Transitional Periods | N/A (Policy Statement) |
500.23 | Severability | N/A (Policy Statement) |
With each audience involved in NY DFS audits having varying objectives and attestation requirements, content packages from the SIEM can be customized and delivered by configuring Report Packages for scheduled generation and on-demand. To identify areas of non-compliance in real-time, you can leverage Investigations and Alarms for immediate analysis of activities that impact your organization's critical systems.
Web Console Incident Response is a core aspect of this suite as correlation rules and investigations are specifically designed to work with LogRhythm’s Case Management and Web Console. You can easily add forensic evidence to Cases as you build your understanding of the incident at hand and centralize your evidence for authorities to review. Further, Web Console dashboards can be created according to the needs of those parties involved with the NY DFS compliance program.
LogRhythm’s goal is to recognize the changing needs of an organization’s pursuit of compliance as this follows a maturity module. The LogRhythm Compliance Maturity Model not only demonstrates an adaptable, dynamic road map to compliance but also bridges the gap as the organization transitions into a better security posture and begins maturing its internal security organization.
NY DFS Specific Terminology:
Affiliate: Any Person that controls, is controlled by or is under common control with another Person. For purposes of this subsection, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a Person, whether through the ownership of stock of such Person or otherwise.
Authorized User: Any employee, contractor, agent or other Person that participates in the business operations of a Covered Entity and is authorized to access and use any Information Systems and data of the Covered Entity.
Covered Entity: Any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.
Cybersecurity Event: Any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.
Information System: A discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.
Multi-Factor Authentication: Authentication through verification of at least two of the following types of authentication factors:
- Knowledge factors, such as a password; or
- Possession factors, such as a token or text message on a mobile phone; or
- Inherence factors, such as a biometric characteristic.
Nonpublic Information: All electronic information that is not Publicly Available Information and is:
- Business-related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity;
- Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account, or (v) biometric records;
- Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual.
Penetration Testing: A test methodology in which assessors attempt to circumvent or defeat the security features of an Information System by attempting penetration of databases or controls from outside or inside the Covered Entity’s Information Systems.
Person: Any individual or any non-governmental entity, including but not limited to any nongovernmental partnership, corporation, branch, agency or association.
Publicly Available Information: Any information that a Covered Entity has a reasonable basis to believe is lawfully made available to the public from: federal, state or local government records; widely distributed media; or disclosures to the public that are required to be made by federal, state or local law.
Covered Entity: A reasonable basis to believe that information is lawfully made available to the public if the Covered Entity has taken steps to determine:
- That the information is of the type that is available to the public; and
- Whether an individual can direct that the information not be made available to the public and, if so, that such individual has not done so.
Risk Assessment: The risk assessment that each Covered Entity is required to conduct under section 500.09 of this Part.
Risk-Based Authentication: Any risk-based system of authentication that detects anomalies or changes in the normal use patterns of a Person and requires additional verification of the Person’s identity when such deviations or changes are detected, such as using challenge questions.
Senior Officer(s): The senior individual or individuals (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk of a Covered Entity, including a branch or agency of a foreign banking organization subject to this Part.
Third Party Service Provider(s): A Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity.
Reference: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
This document has the following given sections: