ny state's cybersecurity legislation requirements for risk management, security of...
TRANSCRIPT
NY Statersquos cybersecurity legislation
requirements for risk management security of
applications and the appointed CISO
March 23 2017
Alan Calder
IT Governance Ltd
wwwitgovernanceusacom
PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING
Introduction
bull Alan Calder
bull Founder of IT Governance Ltd
bull Author of IT Governance An International Guide to Data Security and ISO 2700127002
bull Led the worldrsquos first successful implementationof ISO 27001 (then BS 7799)
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Leading global provider
bull The single source for everything to do with cybersecurity cyber risk
management and IT governance
bull Our team of dedicated and knowledgeable trainers and consultants
have helped over 400 organizations worldwide achieve ISO 27001
certification
bull Our mission is to engage with business executives senior
managers and IT professionals and to help them
Protect Comply Thrive
and secure their intellectual capital
with relevant regulations
as they achieve strategic goals through better IT management
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Agenda
bull The responsibility to appoint a CISO
bull Application security program (internal and external) and review
by the CISO
bull Overview of the risk assessment policy and procedures
bull Setting up a program specific to your organizationrsquos information
systems and business operations
bull Identifying cyber threats and how to incorporate controls
bull Maintaining an audit trail to include detection and responses to
cybersecurity events
bull How ISO 27001 and vsRisk can provide the right tools to help
you implement a successful program that meets compliance
requirements
4
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
1 year compliance deadlines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull This presentation covers the following compliance deadlines
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing a chief information security
officer (CISO) (Section 50004 (a) 180-day requirement)
bull What to look for in a candidate
ndash A trustworthy advisor
ndash Understands the business processes and the organization as a whole
bull Covered entities may choose to
ndash Designate an internal staff member as CISOordm Benefits will have an advantage in understanding of how the business operates to better assess and
guide what is needed to protect the organization
ndash Outsource the role to an affiliate or third partyordm With this option comes the additional measure of appointing a senior-level staff member to oversee
the third party
ordm May not have a clear picture of the business operations
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Role of the CISO (Section 50004 (b) one-year requirement)
bull Provide an annual report to the board of directors on the
cybersecurity program and associated risks
bull The following must be taken into consideration by the CISO
ndash Cybersecurity policies and procedures
ndash All material cybersecurity risks
ndash Nonpublic information confidentiality the reliability and security of
information systems
ndash Effectiveness of the cybersecurity program
ndash Document of cybersecurity events that occurred during the year covered
in the report
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Application security (Section 50009)
bull Within the cybersecurity program in-house-developed applications
shall include
ndash written procedures guidelines and standards designed to ensure the use of
secure development practices
ndash procedures for evaluating assessing or testing the security of externally
developed applications utilized by the Covered Entity within the context of the
technology environment
bull All such procedures guidelines and standards shall be periodically
reviewed assessed and updated as necessary by the CISO (or a
qualified designee)
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Overview of the risk assessment policy and procedures (Section 50009)
bull Risk assessments of information systems should be done periodically to
inform the design of the cybersecurity program
bull The risk assessment mustndash be updated if there are any changes to information systems nonpublic information or
business operations
ndash allow for revision of controls to respond to threat or any technological developments
ndash consider risks of operations that relate to cybersecurity information systems collected or
stored nonpublic information and the effectiveness of controls to protect nonpublic
information and information systems
ndash be documented and implemented in accordance with written policies and procedures
bull Policies and procedures are to includendash measures for the evaluation and classification of identified cybersecurity threats or risks
ndash conditions set for the assessment of the security confidentiality and integrity and availability
information systems and nonpublic information including the suitability of current controls
relating to identified risks
ndash a plan to determine how identified risks based on the risk assessment will be mitigated or
accepted and how the cybersecurity program will address the risks
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Setting up a program specific to your
organizationrsquos information systems and
business operations
bull An effective program must place cybersecurity in the context of the business and should be guided by two related considerationsndash How does cybersecurity enable the business
ndash How does cyber risk affect the business
bull From this perspective cybersecurity focuses on competitive advantage and positions itself as a business enabler If done right cybersecurity helps drive a consistent high-quality customer experience
bull The companyrsquos technology infrastructure should be on the forefront but a cybersecurity strategy should go further and also coverndash Supply chainthird party suppliers
ndash Productservice development
ndash Customer experience
ndash External influencers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Elements of a strong cybersecurity
strategy
bull Set a vision Describe how cybersecurity protects and enables value in your company
bull Sharpen your priorities Your resources are finite so focus on critical business assets
bull Build the right team Ensure your security program has an appropriate mix of skill sets including organizational change management crisis management third-party risk management and strategic communications
bull Enhance your controls To reflect the widening scope of your cybersecurity strategy yoursquoll need to adopt new methods for treating risk
bull Monitor the threat Cybersecurity requires an adaptive outlook Maintain awareness of the threat landscape
bull Plan for contingencies No one can be 100 secure so a strong incident response capability is essential in case something undesirable happens Incident response is not just a technology issue
bull Transform the culture People are the core of the business so cybersecurity is everyonersquos responsibility Encourage their buy-in by making cybersecurity relevant to each business area
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
New York breaches rose 60 in 2016
New York State Attorney General Eric T Schneiderman released a
summary of the year 2016 to reveal
bull 1300 data breaches reported
bull 60 increase from 2015
bull 16 million New Yorkersrsquo personal records exposed
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
2016 NY breaches caused by
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
The threat landscape
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
Identifying cyber threats
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Resources for threat alerts
bull Multi-State Information Sharing and Analysis Center (MS-ISAC)
ndash Provides alerts to current attacks and threats
ndash Partners with the Department of Homeland Security
ndash Free membership
ndash httpsmsisaccisecurityorg
bull Financial Services Information Sharing and Analysis Center FS-
ISAC)
ndash A global financial industrys resource for cyber and threat intelligence analysis
and sharing
ndash Requires a membership fee
ndash httpswwwfsisaccom
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
Introduction
bull Alan Calder
bull Founder of IT Governance Ltd
bull Author of IT Governance An International Guide to Data Security and ISO 2700127002
bull Led the worldrsquos first successful implementationof ISO 27001 (then BS 7799)
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Leading global provider
bull The single source for everything to do with cybersecurity cyber risk
management and IT governance
bull Our team of dedicated and knowledgeable trainers and consultants
have helped over 400 organizations worldwide achieve ISO 27001
certification
bull Our mission is to engage with business executives senior
managers and IT professionals and to help them
Protect Comply Thrive
and secure their intellectual capital
with relevant regulations
as they achieve strategic goals through better IT management
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Agenda
bull The responsibility to appoint a CISO
bull Application security program (internal and external) and review
by the CISO
bull Overview of the risk assessment policy and procedures
bull Setting up a program specific to your organizationrsquos information
systems and business operations
bull Identifying cyber threats and how to incorporate controls
bull Maintaining an audit trail to include detection and responses to
cybersecurity events
bull How ISO 27001 and vsRisk can provide the right tools to help
you implement a successful program that meets compliance
requirements
4
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
1 year compliance deadlines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull This presentation covers the following compliance deadlines
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing a chief information security
officer (CISO) (Section 50004 (a) 180-day requirement)
bull What to look for in a candidate
ndash A trustworthy advisor
ndash Understands the business processes and the organization as a whole
bull Covered entities may choose to
ndash Designate an internal staff member as CISOordm Benefits will have an advantage in understanding of how the business operates to better assess and
guide what is needed to protect the organization
ndash Outsource the role to an affiliate or third partyordm With this option comes the additional measure of appointing a senior-level staff member to oversee
the third party
ordm May not have a clear picture of the business operations
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Role of the CISO (Section 50004 (b) one-year requirement)
bull Provide an annual report to the board of directors on the
cybersecurity program and associated risks
bull The following must be taken into consideration by the CISO
ndash Cybersecurity policies and procedures
ndash All material cybersecurity risks
ndash Nonpublic information confidentiality the reliability and security of
information systems
ndash Effectiveness of the cybersecurity program
ndash Document of cybersecurity events that occurred during the year covered
in the report
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Application security (Section 50009)
bull Within the cybersecurity program in-house-developed applications
shall include
ndash written procedures guidelines and standards designed to ensure the use of
secure development practices
ndash procedures for evaluating assessing or testing the security of externally
developed applications utilized by the Covered Entity within the context of the
technology environment
bull All such procedures guidelines and standards shall be periodically
reviewed assessed and updated as necessary by the CISO (or a
qualified designee)
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Overview of the risk assessment policy and procedures (Section 50009)
bull Risk assessments of information systems should be done periodically to
inform the design of the cybersecurity program
bull The risk assessment mustndash be updated if there are any changes to information systems nonpublic information or
business operations
ndash allow for revision of controls to respond to threat or any technological developments
ndash consider risks of operations that relate to cybersecurity information systems collected or
stored nonpublic information and the effectiveness of controls to protect nonpublic
information and information systems
ndash be documented and implemented in accordance with written policies and procedures
bull Policies and procedures are to includendash measures for the evaluation and classification of identified cybersecurity threats or risks
ndash conditions set for the assessment of the security confidentiality and integrity and availability
information systems and nonpublic information including the suitability of current controls
relating to identified risks
ndash a plan to determine how identified risks based on the risk assessment will be mitigated or
accepted and how the cybersecurity program will address the risks
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Setting up a program specific to your
organizationrsquos information systems and
business operations
bull An effective program must place cybersecurity in the context of the business and should be guided by two related considerationsndash How does cybersecurity enable the business
ndash How does cyber risk affect the business
bull From this perspective cybersecurity focuses on competitive advantage and positions itself as a business enabler If done right cybersecurity helps drive a consistent high-quality customer experience
bull The companyrsquos technology infrastructure should be on the forefront but a cybersecurity strategy should go further and also coverndash Supply chainthird party suppliers
ndash Productservice development
ndash Customer experience
ndash External influencers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Elements of a strong cybersecurity
strategy
bull Set a vision Describe how cybersecurity protects and enables value in your company
bull Sharpen your priorities Your resources are finite so focus on critical business assets
bull Build the right team Ensure your security program has an appropriate mix of skill sets including organizational change management crisis management third-party risk management and strategic communications
bull Enhance your controls To reflect the widening scope of your cybersecurity strategy yoursquoll need to adopt new methods for treating risk
bull Monitor the threat Cybersecurity requires an adaptive outlook Maintain awareness of the threat landscape
bull Plan for contingencies No one can be 100 secure so a strong incident response capability is essential in case something undesirable happens Incident response is not just a technology issue
bull Transform the culture People are the core of the business so cybersecurity is everyonersquos responsibility Encourage their buy-in by making cybersecurity relevant to each business area
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
New York breaches rose 60 in 2016
New York State Attorney General Eric T Schneiderman released a
summary of the year 2016 to reveal
bull 1300 data breaches reported
bull 60 increase from 2015
bull 16 million New Yorkersrsquo personal records exposed
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
2016 NY breaches caused by
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
The threat landscape
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
Identifying cyber threats
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Resources for threat alerts
bull Multi-State Information Sharing and Analysis Center (MS-ISAC)
ndash Provides alerts to current attacks and threats
ndash Partners with the Department of Homeland Security
ndash Free membership
ndash httpsmsisaccisecurityorg
bull Financial Services Information Sharing and Analysis Center FS-
ISAC)
ndash A global financial industrys resource for cyber and threat intelligence analysis
and sharing
ndash Requires a membership fee
ndash httpswwwfsisaccom
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Leading global provider
bull The single source for everything to do with cybersecurity cyber risk
management and IT governance
bull Our team of dedicated and knowledgeable trainers and consultants
have helped over 400 organizations worldwide achieve ISO 27001
certification
bull Our mission is to engage with business executives senior
managers and IT professionals and to help them
Protect Comply Thrive
and secure their intellectual capital
with relevant regulations
as they achieve strategic goals through better IT management
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Agenda
bull The responsibility to appoint a CISO
bull Application security program (internal and external) and review
by the CISO
bull Overview of the risk assessment policy and procedures
bull Setting up a program specific to your organizationrsquos information
systems and business operations
bull Identifying cyber threats and how to incorporate controls
bull Maintaining an audit trail to include detection and responses to
cybersecurity events
bull How ISO 27001 and vsRisk can provide the right tools to help
you implement a successful program that meets compliance
requirements
4
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
1 year compliance deadlines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull This presentation covers the following compliance deadlines
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing a chief information security
officer (CISO) (Section 50004 (a) 180-day requirement)
bull What to look for in a candidate
ndash A trustworthy advisor
ndash Understands the business processes and the organization as a whole
bull Covered entities may choose to
ndash Designate an internal staff member as CISOordm Benefits will have an advantage in understanding of how the business operates to better assess and
guide what is needed to protect the organization
ndash Outsource the role to an affiliate or third partyordm With this option comes the additional measure of appointing a senior-level staff member to oversee
the third party
ordm May not have a clear picture of the business operations
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Role of the CISO (Section 50004 (b) one-year requirement)
bull Provide an annual report to the board of directors on the
cybersecurity program and associated risks
bull The following must be taken into consideration by the CISO
ndash Cybersecurity policies and procedures
ndash All material cybersecurity risks
ndash Nonpublic information confidentiality the reliability and security of
information systems
ndash Effectiveness of the cybersecurity program
ndash Document of cybersecurity events that occurred during the year covered
in the report
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Application security (Section 50009)
bull Within the cybersecurity program in-house-developed applications
shall include
ndash written procedures guidelines and standards designed to ensure the use of
secure development practices
ndash procedures for evaluating assessing or testing the security of externally
developed applications utilized by the Covered Entity within the context of the
technology environment
bull All such procedures guidelines and standards shall be periodically
reviewed assessed and updated as necessary by the CISO (or a
qualified designee)
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Overview of the risk assessment policy and procedures (Section 50009)
bull Risk assessments of information systems should be done periodically to
inform the design of the cybersecurity program
bull The risk assessment mustndash be updated if there are any changes to information systems nonpublic information or
business operations
ndash allow for revision of controls to respond to threat or any technological developments
ndash consider risks of operations that relate to cybersecurity information systems collected or
stored nonpublic information and the effectiveness of controls to protect nonpublic
information and information systems
ndash be documented and implemented in accordance with written policies and procedures
bull Policies and procedures are to includendash measures for the evaluation and classification of identified cybersecurity threats or risks
ndash conditions set for the assessment of the security confidentiality and integrity and availability
information systems and nonpublic information including the suitability of current controls
relating to identified risks
ndash a plan to determine how identified risks based on the risk assessment will be mitigated or
accepted and how the cybersecurity program will address the risks
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Setting up a program specific to your
organizationrsquos information systems and
business operations
bull An effective program must place cybersecurity in the context of the business and should be guided by two related considerationsndash How does cybersecurity enable the business
ndash How does cyber risk affect the business
bull From this perspective cybersecurity focuses on competitive advantage and positions itself as a business enabler If done right cybersecurity helps drive a consistent high-quality customer experience
bull The companyrsquos technology infrastructure should be on the forefront but a cybersecurity strategy should go further and also coverndash Supply chainthird party suppliers
ndash Productservice development
ndash Customer experience
ndash External influencers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Elements of a strong cybersecurity
strategy
bull Set a vision Describe how cybersecurity protects and enables value in your company
bull Sharpen your priorities Your resources are finite so focus on critical business assets
bull Build the right team Ensure your security program has an appropriate mix of skill sets including organizational change management crisis management third-party risk management and strategic communications
bull Enhance your controls To reflect the widening scope of your cybersecurity strategy yoursquoll need to adopt new methods for treating risk
bull Monitor the threat Cybersecurity requires an adaptive outlook Maintain awareness of the threat landscape
bull Plan for contingencies No one can be 100 secure so a strong incident response capability is essential in case something undesirable happens Incident response is not just a technology issue
bull Transform the culture People are the core of the business so cybersecurity is everyonersquos responsibility Encourage their buy-in by making cybersecurity relevant to each business area
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
New York breaches rose 60 in 2016
New York State Attorney General Eric T Schneiderman released a
summary of the year 2016 to reveal
bull 1300 data breaches reported
bull 60 increase from 2015
bull 16 million New Yorkersrsquo personal records exposed
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
2016 NY breaches caused by
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
The threat landscape
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
Identifying cyber threats
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Resources for threat alerts
bull Multi-State Information Sharing and Analysis Center (MS-ISAC)
ndash Provides alerts to current attacks and threats
ndash Partners with the Department of Homeland Security
ndash Free membership
ndash httpsmsisaccisecurityorg
bull Financial Services Information Sharing and Analysis Center FS-
ISAC)
ndash A global financial industrys resource for cyber and threat intelligence analysis
and sharing
ndash Requires a membership fee
ndash httpswwwfsisaccom
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Agenda
bull The responsibility to appoint a CISO
bull Application security program (internal and external) and review
by the CISO
bull Overview of the risk assessment policy and procedures
bull Setting up a program specific to your organizationrsquos information
systems and business operations
bull Identifying cyber threats and how to incorporate controls
bull Maintaining an audit trail to include detection and responses to
cybersecurity events
bull How ISO 27001 and vsRisk can provide the right tools to help
you implement a successful program that meets compliance
requirements
4
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
1 year compliance deadlines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull This presentation covers the following compliance deadlines
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing a chief information security
officer (CISO) (Section 50004 (a) 180-day requirement)
bull What to look for in a candidate
ndash A trustworthy advisor
ndash Understands the business processes and the organization as a whole
bull Covered entities may choose to
ndash Designate an internal staff member as CISOordm Benefits will have an advantage in understanding of how the business operates to better assess and
guide what is needed to protect the organization
ndash Outsource the role to an affiliate or third partyordm With this option comes the additional measure of appointing a senior-level staff member to oversee
the third party
ordm May not have a clear picture of the business operations
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Role of the CISO (Section 50004 (b) one-year requirement)
bull Provide an annual report to the board of directors on the
cybersecurity program and associated risks
bull The following must be taken into consideration by the CISO
ndash Cybersecurity policies and procedures
ndash All material cybersecurity risks
ndash Nonpublic information confidentiality the reliability and security of
information systems
ndash Effectiveness of the cybersecurity program
ndash Document of cybersecurity events that occurred during the year covered
in the report
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Application security (Section 50009)
bull Within the cybersecurity program in-house-developed applications
shall include
ndash written procedures guidelines and standards designed to ensure the use of
secure development practices
ndash procedures for evaluating assessing or testing the security of externally
developed applications utilized by the Covered Entity within the context of the
technology environment
bull All such procedures guidelines and standards shall be periodically
reviewed assessed and updated as necessary by the CISO (or a
qualified designee)
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Overview of the risk assessment policy and procedures (Section 50009)
bull Risk assessments of information systems should be done periodically to
inform the design of the cybersecurity program
bull The risk assessment mustndash be updated if there are any changes to information systems nonpublic information or
business operations
ndash allow for revision of controls to respond to threat or any technological developments
ndash consider risks of operations that relate to cybersecurity information systems collected or
stored nonpublic information and the effectiveness of controls to protect nonpublic
information and information systems
ndash be documented and implemented in accordance with written policies and procedures
bull Policies and procedures are to includendash measures for the evaluation and classification of identified cybersecurity threats or risks
ndash conditions set for the assessment of the security confidentiality and integrity and availability
information systems and nonpublic information including the suitability of current controls
relating to identified risks
ndash a plan to determine how identified risks based on the risk assessment will be mitigated or
accepted and how the cybersecurity program will address the risks
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Setting up a program specific to your
organizationrsquos information systems and
business operations
bull An effective program must place cybersecurity in the context of the business and should be guided by two related considerationsndash How does cybersecurity enable the business
ndash How does cyber risk affect the business
bull From this perspective cybersecurity focuses on competitive advantage and positions itself as a business enabler If done right cybersecurity helps drive a consistent high-quality customer experience
bull The companyrsquos technology infrastructure should be on the forefront but a cybersecurity strategy should go further and also coverndash Supply chainthird party suppliers
ndash Productservice development
ndash Customer experience
ndash External influencers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Elements of a strong cybersecurity
strategy
bull Set a vision Describe how cybersecurity protects and enables value in your company
bull Sharpen your priorities Your resources are finite so focus on critical business assets
bull Build the right team Ensure your security program has an appropriate mix of skill sets including organizational change management crisis management third-party risk management and strategic communications
bull Enhance your controls To reflect the widening scope of your cybersecurity strategy yoursquoll need to adopt new methods for treating risk
bull Monitor the threat Cybersecurity requires an adaptive outlook Maintain awareness of the threat landscape
bull Plan for contingencies No one can be 100 secure so a strong incident response capability is essential in case something undesirable happens Incident response is not just a technology issue
bull Transform the culture People are the core of the business so cybersecurity is everyonersquos responsibility Encourage their buy-in by making cybersecurity relevant to each business area
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
New York breaches rose 60 in 2016
New York State Attorney General Eric T Schneiderman released a
summary of the year 2016 to reveal
bull 1300 data breaches reported
bull 60 increase from 2015
bull 16 million New Yorkersrsquo personal records exposed
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
2016 NY breaches caused by
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
The threat landscape
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
Identifying cyber threats
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Resources for threat alerts
bull Multi-State Information Sharing and Analysis Center (MS-ISAC)
ndash Provides alerts to current attacks and threats
ndash Partners with the Department of Homeland Security
ndash Free membership
ndash httpsmsisaccisecurityorg
bull Financial Services Information Sharing and Analysis Center FS-
ISAC)
ndash A global financial industrys resource for cyber and threat intelligence analysis
and sharing
ndash Requires a membership fee
ndash httpswwwfsisaccom
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
1 year compliance deadlines
180 days 1 year 18 months 2 years
Section 50002 Cybersecurity Program
Section 50004 (b) Chief Information Security Officer (CISO)
Section 50006 Audit Trail
Section 50011 Third Party Service Provider Security Policy
Section 50003 Cybersecurity Policy
Section 50005 Penetration Testing and Vulnerability Assessments
Section 50008 Application Security
Section 50007 Access Privileges
Section 50009 Risk Assessment
Section 50013 Limitations on Data Retention
Section 50010 Cybersecurity Personnel and Intelligence
Section 50012 Multi-Factor Authentication
Section 50014 (a)Training and Monitoring
Section 50016 Incident Response Plan
Section 50014 (b)Training and Monitoring
Section 50015 Encryption of Nonpublic Information
bull This presentation covers the following compliance deadlines
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing a chief information security
officer (CISO) (Section 50004 (a) 180-day requirement)
bull What to look for in a candidate
ndash A trustworthy advisor
ndash Understands the business processes and the organization as a whole
bull Covered entities may choose to
ndash Designate an internal staff member as CISOordm Benefits will have an advantage in understanding of how the business operates to better assess and
guide what is needed to protect the organization
ndash Outsource the role to an affiliate or third partyordm With this option comes the additional measure of appointing a senior-level staff member to oversee
the third party
ordm May not have a clear picture of the business operations
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Role of the CISO (Section 50004 (b) one-year requirement)
bull Provide an annual report to the board of directors on the
cybersecurity program and associated risks
bull The following must be taken into consideration by the CISO
ndash Cybersecurity policies and procedures
ndash All material cybersecurity risks
ndash Nonpublic information confidentiality the reliability and security of
information systems
ndash Effectiveness of the cybersecurity program
ndash Document of cybersecurity events that occurred during the year covered
in the report
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Application security (Section 50009)
bull Within the cybersecurity program in-house-developed applications
shall include
ndash written procedures guidelines and standards designed to ensure the use of
secure development practices
ndash procedures for evaluating assessing or testing the security of externally
developed applications utilized by the Covered Entity within the context of the
technology environment
bull All such procedures guidelines and standards shall be periodically
reviewed assessed and updated as necessary by the CISO (or a
qualified designee)
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Overview of the risk assessment policy and procedures (Section 50009)
bull Risk assessments of information systems should be done periodically to
inform the design of the cybersecurity program
bull The risk assessment mustndash be updated if there are any changes to information systems nonpublic information or
business operations
ndash allow for revision of controls to respond to threat or any technological developments
ndash consider risks of operations that relate to cybersecurity information systems collected or
stored nonpublic information and the effectiveness of controls to protect nonpublic
information and information systems
ndash be documented and implemented in accordance with written policies and procedures
bull Policies and procedures are to includendash measures for the evaluation and classification of identified cybersecurity threats or risks
ndash conditions set for the assessment of the security confidentiality and integrity and availability
information systems and nonpublic information including the suitability of current controls
relating to identified risks
ndash a plan to determine how identified risks based on the risk assessment will be mitigated or
accepted and how the cybersecurity program will address the risks
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Setting up a program specific to your
organizationrsquos information systems and
business operations
bull An effective program must place cybersecurity in the context of the business and should be guided by two related considerationsndash How does cybersecurity enable the business
ndash How does cyber risk affect the business
bull From this perspective cybersecurity focuses on competitive advantage and positions itself as a business enabler If done right cybersecurity helps drive a consistent high-quality customer experience
bull The companyrsquos technology infrastructure should be on the forefront but a cybersecurity strategy should go further and also coverndash Supply chainthird party suppliers
ndash Productservice development
ndash Customer experience
ndash External influencers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Elements of a strong cybersecurity
strategy
bull Set a vision Describe how cybersecurity protects and enables value in your company
bull Sharpen your priorities Your resources are finite so focus on critical business assets
bull Build the right team Ensure your security program has an appropriate mix of skill sets including organizational change management crisis management third-party risk management and strategic communications
bull Enhance your controls To reflect the widening scope of your cybersecurity strategy yoursquoll need to adopt new methods for treating risk
bull Monitor the threat Cybersecurity requires an adaptive outlook Maintain awareness of the threat landscape
bull Plan for contingencies No one can be 100 secure so a strong incident response capability is essential in case something undesirable happens Incident response is not just a technology issue
bull Transform the culture People are the core of the business so cybersecurity is everyonersquos responsibility Encourage their buy-in by making cybersecurity relevant to each business area
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
New York breaches rose 60 in 2016
New York State Attorney General Eric T Schneiderman released a
summary of the year 2016 to reveal
bull 1300 data breaches reported
bull 60 increase from 2015
bull 16 million New Yorkersrsquo personal records exposed
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
2016 NY breaches caused by
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
The threat landscape
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
Identifying cyber threats
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Resources for threat alerts
bull Multi-State Information Sharing and Analysis Center (MS-ISAC)
ndash Provides alerts to current attacks and threats
ndash Partners with the Department of Homeland Security
ndash Free membership
ndash httpsmsisaccisecurityorg
bull Financial Services Information Sharing and Analysis Center FS-
ISAC)
ndash A global financial industrys resource for cyber and threat intelligence analysis
and sharing
ndash Requires a membership fee
ndash httpswwwfsisaccom
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Appointing a chief information security
officer (CISO) (Section 50004 (a) 180-day requirement)
bull What to look for in a candidate
ndash A trustworthy advisor
ndash Understands the business processes and the organization as a whole
bull Covered entities may choose to
ndash Designate an internal staff member as CISOordm Benefits will have an advantage in understanding of how the business operates to better assess and
guide what is needed to protect the organization
ndash Outsource the role to an affiliate or third partyordm With this option comes the additional measure of appointing a senior-level staff member to oversee
the third party
ordm May not have a clear picture of the business operations
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Role of the CISO (Section 50004 (b) one-year requirement)
bull Provide an annual report to the board of directors on the
cybersecurity program and associated risks
bull The following must be taken into consideration by the CISO
ndash Cybersecurity policies and procedures
ndash All material cybersecurity risks
ndash Nonpublic information confidentiality the reliability and security of
information systems
ndash Effectiveness of the cybersecurity program
ndash Document of cybersecurity events that occurred during the year covered
in the report
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Application security (Section 50009)
bull Within the cybersecurity program in-house-developed applications
shall include
ndash written procedures guidelines and standards designed to ensure the use of
secure development practices
ndash procedures for evaluating assessing or testing the security of externally
developed applications utilized by the Covered Entity within the context of the
technology environment
bull All such procedures guidelines and standards shall be periodically
reviewed assessed and updated as necessary by the CISO (or a
qualified designee)
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Overview of the risk assessment policy and procedures (Section 50009)
bull Risk assessments of information systems should be done periodically to
inform the design of the cybersecurity program
bull The risk assessment mustndash be updated if there are any changes to information systems nonpublic information or
business operations
ndash allow for revision of controls to respond to threat or any technological developments
ndash consider risks of operations that relate to cybersecurity information systems collected or
stored nonpublic information and the effectiveness of controls to protect nonpublic
information and information systems
ndash be documented and implemented in accordance with written policies and procedures
bull Policies and procedures are to includendash measures for the evaluation and classification of identified cybersecurity threats or risks
ndash conditions set for the assessment of the security confidentiality and integrity and availability
information systems and nonpublic information including the suitability of current controls
relating to identified risks
ndash a plan to determine how identified risks based on the risk assessment will be mitigated or
accepted and how the cybersecurity program will address the risks
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Setting up a program specific to your
organizationrsquos information systems and
business operations
bull An effective program must place cybersecurity in the context of the business and should be guided by two related considerationsndash How does cybersecurity enable the business
ndash How does cyber risk affect the business
bull From this perspective cybersecurity focuses on competitive advantage and positions itself as a business enabler If done right cybersecurity helps drive a consistent high-quality customer experience
bull The companyrsquos technology infrastructure should be on the forefront but a cybersecurity strategy should go further and also coverndash Supply chainthird party suppliers
ndash Productservice development
ndash Customer experience
ndash External influencers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Elements of a strong cybersecurity
strategy
bull Set a vision Describe how cybersecurity protects and enables value in your company
bull Sharpen your priorities Your resources are finite so focus on critical business assets
bull Build the right team Ensure your security program has an appropriate mix of skill sets including organizational change management crisis management third-party risk management and strategic communications
bull Enhance your controls To reflect the widening scope of your cybersecurity strategy yoursquoll need to adopt new methods for treating risk
bull Monitor the threat Cybersecurity requires an adaptive outlook Maintain awareness of the threat landscape
bull Plan for contingencies No one can be 100 secure so a strong incident response capability is essential in case something undesirable happens Incident response is not just a technology issue
bull Transform the culture People are the core of the business so cybersecurity is everyonersquos responsibility Encourage their buy-in by making cybersecurity relevant to each business area
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
New York breaches rose 60 in 2016
New York State Attorney General Eric T Schneiderman released a
summary of the year 2016 to reveal
bull 1300 data breaches reported
bull 60 increase from 2015
bull 16 million New Yorkersrsquo personal records exposed
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
2016 NY breaches caused by
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
The threat landscape
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
Identifying cyber threats
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Resources for threat alerts
bull Multi-State Information Sharing and Analysis Center (MS-ISAC)
ndash Provides alerts to current attacks and threats
ndash Partners with the Department of Homeland Security
ndash Free membership
ndash httpsmsisaccisecurityorg
bull Financial Services Information Sharing and Analysis Center FS-
ISAC)
ndash A global financial industrys resource for cyber and threat intelligence analysis
and sharing
ndash Requires a membership fee
ndash httpswwwfsisaccom
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Role of the CISO (Section 50004 (b) one-year requirement)
bull Provide an annual report to the board of directors on the
cybersecurity program and associated risks
bull The following must be taken into consideration by the CISO
ndash Cybersecurity policies and procedures
ndash All material cybersecurity risks
ndash Nonpublic information confidentiality the reliability and security of
information systems
ndash Effectiveness of the cybersecurity program
ndash Document of cybersecurity events that occurred during the year covered
in the report
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Application security (Section 50009)
bull Within the cybersecurity program in-house-developed applications
shall include
ndash written procedures guidelines and standards designed to ensure the use of
secure development practices
ndash procedures for evaluating assessing or testing the security of externally
developed applications utilized by the Covered Entity within the context of the
technology environment
bull All such procedures guidelines and standards shall be periodically
reviewed assessed and updated as necessary by the CISO (or a
qualified designee)
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Overview of the risk assessment policy and procedures (Section 50009)
bull Risk assessments of information systems should be done periodically to
inform the design of the cybersecurity program
bull The risk assessment mustndash be updated if there are any changes to information systems nonpublic information or
business operations
ndash allow for revision of controls to respond to threat or any technological developments
ndash consider risks of operations that relate to cybersecurity information systems collected or
stored nonpublic information and the effectiveness of controls to protect nonpublic
information and information systems
ndash be documented and implemented in accordance with written policies and procedures
bull Policies and procedures are to includendash measures for the evaluation and classification of identified cybersecurity threats or risks
ndash conditions set for the assessment of the security confidentiality and integrity and availability
information systems and nonpublic information including the suitability of current controls
relating to identified risks
ndash a plan to determine how identified risks based on the risk assessment will be mitigated or
accepted and how the cybersecurity program will address the risks
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Setting up a program specific to your
organizationrsquos information systems and
business operations
bull An effective program must place cybersecurity in the context of the business and should be guided by two related considerationsndash How does cybersecurity enable the business
ndash How does cyber risk affect the business
bull From this perspective cybersecurity focuses on competitive advantage and positions itself as a business enabler If done right cybersecurity helps drive a consistent high-quality customer experience
bull The companyrsquos technology infrastructure should be on the forefront but a cybersecurity strategy should go further and also coverndash Supply chainthird party suppliers
ndash Productservice development
ndash Customer experience
ndash External influencers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Elements of a strong cybersecurity
strategy
bull Set a vision Describe how cybersecurity protects and enables value in your company
bull Sharpen your priorities Your resources are finite so focus on critical business assets
bull Build the right team Ensure your security program has an appropriate mix of skill sets including organizational change management crisis management third-party risk management and strategic communications
bull Enhance your controls To reflect the widening scope of your cybersecurity strategy yoursquoll need to adopt new methods for treating risk
bull Monitor the threat Cybersecurity requires an adaptive outlook Maintain awareness of the threat landscape
bull Plan for contingencies No one can be 100 secure so a strong incident response capability is essential in case something undesirable happens Incident response is not just a technology issue
bull Transform the culture People are the core of the business so cybersecurity is everyonersquos responsibility Encourage their buy-in by making cybersecurity relevant to each business area
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
New York breaches rose 60 in 2016
New York State Attorney General Eric T Schneiderman released a
summary of the year 2016 to reveal
bull 1300 data breaches reported
bull 60 increase from 2015
bull 16 million New Yorkersrsquo personal records exposed
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
2016 NY breaches caused by
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
The threat landscape
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
Identifying cyber threats
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Resources for threat alerts
bull Multi-State Information Sharing and Analysis Center (MS-ISAC)
ndash Provides alerts to current attacks and threats
ndash Partners with the Department of Homeland Security
ndash Free membership
ndash httpsmsisaccisecurityorg
bull Financial Services Information Sharing and Analysis Center FS-
ISAC)
ndash A global financial industrys resource for cyber and threat intelligence analysis
and sharing
ndash Requires a membership fee
ndash httpswwwfsisaccom
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Application security (Section 50009)
bull Within the cybersecurity program in-house-developed applications
shall include
ndash written procedures guidelines and standards designed to ensure the use of
secure development practices
ndash procedures for evaluating assessing or testing the security of externally
developed applications utilized by the Covered Entity within the context of the
technology environment
bull All such procedures guidelines and standards shall be periodically
reviewed assessed and updated as necessary by the CISO (or a
qualified designee)
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Overview of the risk assessment policy and procedures (Section 50009)
bull Risk assessments of information systems should be done periodically to
inform the design of the cybersecurity program
bull The risk assessment mustndash be updated if there are any changes to information systems nonpublic information or
business operations
ndash allow for revision of controls to respond to threat or any technological developments
ndash consider risks of operations that relate to cybersecurity information systems collected or
stored nonpublic information and the effectiveness of controls to protect nonpublic
information and information systems
ndash be documented and implemented in accordance with written policies and procedures
bull Policies and procedures are to includendash measures for the evaluation and classification of identified cybersecurity threats or risks
ndash conditions set for the assessment of the security confidentiality and integrity and availability
information systems and nonpublic information including the suitability of current controls
relating to identified risks
ndash a plan to determine how identified risks based on the risk assessment will be mitigated or
accepted and how the cybersecurity program will address the risks
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Setting up a program specific to your
organizationrsquos information systems and
business operations
bull An effective program must place cybersecurity in the context of the business and should be guided by two related considerationsndash How does cybersecurity enable the business
ndash How does cyber risk affect the business
bull From this perspective cybersecurity focuses on competitive advantage and positions itself as a business enabler If done right cybersecurity helps drive a consistent high-quality customer experience
bull The companyrsquos technology infrastructure should be on the forefront but a cybersecurity strategy should go further and also coverndash Supply chainthird party suppliers
ndash Productservice development
ndash Customer experience
ndash External influencers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Elements of a strong cybersecurity
strategy
bull Set a vision Describe how cybersecurity protects and enables value in your company
bull Sharpen your priorities Your resources are finite so focus on critical business assets
bull Build the right team Ensure your security program has an appropriate mix of skill sets including organizational change management crisis management third-party risk management and strategic communications
bull Enhance your controls To reflect the widening scope of your cybersecurity strategy yoursquoll need to adopt new methods for treating risk
bull Monitor the threat Cybersecurity requires an adaptive outlook Maintain awareness of the threat landscape
bull Plan for contingencies No one can be 100 secure so a strong incident response capability is essential in case something undesirable happens Incident response is not just a technology issue
bull Transform the culture People are the core of the business so cybersecurity is everyonersquos responsibility Encourage their buy-in by making cybersecurity relevant to each business area
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
New York breaches rose 60 in 2016
New York State Attorney General Eric T Schneiderman released a
summary of the year 2016 to reveal
bull 1300 data breaches reported
bull 60 increase from 2015
bull 16 million New Yorkersrsquo personal records exposed
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
2016 NY breaches caused by
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
The threat landscape
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
Identifying cyber threats
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Resources for threat alerts
bull Multi-State Information Sharing and Analysis Center (MS-ISAC)
ndash Provides alerts to current attacks and threats
ndash Partners with the Department of Homeland Security
ndash Free membership
ndash httpsmsisaccisecurityorg
bull Financial Services Information Sharing and Analysis Center FS-
ISAC)
ndash A global financial industrys resource for cyber and threat intelligence analysis
and sharing
ndash Requires a membership fee
ndash httpswwwfsisaccom
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Overview of the risk assessment policy and procedures (Section 50009)
bull Risk assessments of information systems should be done periodically to
inform the design of the cybersecurity program
bull The risk assessment mustndash be updated if there are any changes to information systems nonpublic information or
business operations
ndash allow for revision of controls to respond to threat or any technological developments
ndash consider risks of operations that relate to cybersecurity information systems collected or
stored nonpublic information and the effectiveness of controls to protect nonpublic
information and information systems
ndash be documented and implemented in accordance with written policies and procedures
bull Policies and procedures are to includendash measures for the evaluation and classification of identified cybersecurity threats or risks
ndash conditions set for the assessment of the security confidentiality and integrity and availability
information systems and nonpublic information including the suitability of current controls
relating to identified risks
ndash a plan to determine how identified risks based on the risk assessment will be mitigated or
accepted and how the cybersecurity program will address the risks
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Setting up a program specific to your
organizationrsquos information systems and
business operations
bull An effective program must place cybersecurity in the context of the business and should be guided by two related considerationsndash How does cybersecurity enable the business
ndash How does cyber risk affect the business
bull From this perspective cybersecurity focuses on competitive advantage and positions itself as a business enabler If done right cybersecurity helps drive a consistent high-quality customer experience
bull The companyrsquos technology infrastructure should be on the forefront but a cybersecurity strategy should go further and also coverndash Supply chainthird party suppliers
ndash Productservice development
ndash Customer experience
ndash External influencers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Elements of a strong cybersecurity
strategy
bull Set a vision Describe how cybersecurity protects and enables value in your company
bull Sharpen your priorities Your resources are finite so focus on critical business assets
bull Build the right team Ensure your security program has an appropriate mix of skill sets including organizational change management crisis management third-party risk management and strategic communications
bull Enhance your controls To reflect the widening scope of your cybersecurity strategy yoursquoll need to adopt new methods for treating risk
bull Monitor the threat Cybersecurity requires an adaptive outlook Maintain awareness of the threat landscape
bull Plan for contingencies No one can be 100 secure so a strong incident response capability is essential in case something undesirable happens Incident response is not just a technology issue
bull Transform the culture People are the core of the business so cybersecurity is everyonersquos responsibility Encourage their buy-in by making cybersecurity relevant to each business area
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
New York breaches rose 60 in 2016
New York State Attorney General Eric T Schneiderman released a
summary of the year 2016 to reveal
bull 1300 data breaches reported
bull 60 increase from 2015
bull 16 million New Yorkersrsquo personal records exposed
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
2016 NY breaches caused by
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
The threat landscape
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
Identifying cyber threats
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Resources for threat alerts
bull Multi-State Information Sharing and Analysis Center (MS-ISAC)
ndash Provides alerts to current attacks and threats
ndash Partners with the Department of Homeland Security
ndash Free membership
ndash httpsmsisaccisecurityorg
bull Financial Services Information Sharing and Analysis Center FS-
ISAC)
ndash A global financial industrys resource for cyber and threat intelligence analysis
and sharing
ndash Requires a membership fee
ndash httpswwwfsisaccom
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Setting up a program specific to your
organizationrsquos information systems and
business operations
bull An effective program must place cybersecurity in the context of the business and should be guided by two related considerationsndash How does cybersecurity enable the business
ndash How does cyber risk affect the business
bull From this perspective cybersecurity focuses on competitive advantage and positions itself as a business enabler If done right cybersecurity helps drive a consistent high-quality customer experience
bull The companyrsquos technology infrastructure should be on the forefront but a cybersecurity strategy should go further and also coverndash Supply chainthird party suppliers
ndash Productservice development
ndash Customer experience
ndash External influencers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Elements of a strong cybersecurity
strategy
bull Set a vision Describe how cybersecurity protects and enables value in your company
bull Sharpen your priorities Your resources are finite so focus on critical business assets
bull Build the right team Ensure your security program has an appropriate mix of skill sets including organizational change management crisis management third-party risk management and strategic communications
bull Enhance your controls To reflect the widening scope of your cybersecurity strategy yoursquoll need to adopt new methods for treating risk
bull Monitor the threat Cybersecurity requires an adaptive outlook Maintain awareness of the threat landscape
bull Plan for contingencies No one can be 100 secure so a strong incident response capability is essential in case something undesirable happens Incident response is not just a technology issue
bull Transform the culture People are the core of the business so cybersecurity is everyonersquos responsibility Encourage their buy-in by making cybersecurity relevant to each business area
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
New York breaches rose 60 in 2016
New York State Attorney General Eric T Schneiderman released a
summary of the year 2016 to reveal
bull 1300 data breaches reported
bull 60 increase from 2015
bull 16 million New Yorkersrsquo personal records exposed
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
2016 NY breaches caused by
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
The threat landscape
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
Identifying cyber threats
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Resources for threat alerts
bull Multi-State Information Sharing and Analysis Center (MS-ISAC)
ndash Provides alerts to current attacks and threats
ndash Partners with the Department of Homeland Security
ndash Free membership
ndash httpsmsisaccisecurityorg
bull Financial Services Information Sharing and Analysis Center FS-
ISAC)
ndash A global financial industrys resource for cyber and threat intelligence analysis
and sharing
ndash Requires a membership fee
ndash httpswwwfsisaccom
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Elements of a strong cybersecurity
strategy
bull Set a vision Describe how cybersecurity protects and enables value in your company
bull Sharpen your priorities Your resources are finite so focus on critical business assets
bull Build the right team Ensure your security program has an appropriate mix of skill sets including organizational change management crisis management third-party risk management and strategic communications
bull Enhance your controls To reflect the widening scope of your cybersecurity strategy yoursquoll need to adopt new methods for treating risk
bull Monitor the threat Cybersecurity requires an adaptive outlook Maintain awareness of the threat landscape
bull Plan for contingencies No one can be 100 secure so a strong incident response capability is essential in case something undesirable happens Incident response is not just a technology issue
bull Transform the culture People are the core of the business so cybersecurity is everyonersquos responsibility Encourage their buy-in by making cybersecurity relevant to each business area
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
New York breaches rose 60 in 2016
New York State Attorney General Eric T Schneiderman released a
summary of the year 2016 to reveal
bull 1300 data breaches reported
bull 60 increase from 2015
bull 16 million New Yorkersrsquo personal records exposed
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
2016 NY breaches caused by
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
The threat landscape
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
Identifying cyber threats
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Resources for threat alerts
bull Multi-State Information Sharing and Analysis Center (MS-ISAC)
ndash Provides alerts to current attacks and threats
ndash Partners with the Department of Homeland Security
ndash Free membership
ndash httpsmsisaccisecurityorg
bull Financial Services Information Sharing and Analysis Center FS-
ISAC)
ndash A global financial industrys resource for cyber and threat intelligence analysis
and sharing
ndash Requires a membership fee
ndash httpswwwfsisaccom
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
New York breaches rose 60 in 2016
New York State Attorney General Eric T Schneiderman released a
summary of the year 2016 to reveal
bull 1300 data breaches reported
bull 60 increase from 2015
bull 16 million New Yorkersrsquo personal records exposed
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
2016 NY breaches caused by
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
The threat landscape
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
Identifying cyber threats
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Resources for threat alerts
bull Multi-State Information Sharing and Analysis Center (MS-ISAC)
ndash Provides alerts to current attacks and threats
ndash Partners with the Department of Homeland Security
ndash Free membership
ndash httpsmsisaccisecurityorg
bull Financial Services Information Sharing and Analysis Center FS-
ISAC)
ndash A global financial industrys resource for cyber and threat intelligence analysis
and sharing
ndash Requires a membership fee
ndash httpswwwfsisaccom
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
2016 NY breaches caused by
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
The threat landscape
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
Identifying cyber threats
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Resources for threat alerts
bull Multi-State Information Sharing and Analysis Center (MS-ISAC)
ndash Provides alerts to current attacks and threats
ndash Partners with the Department of Homeland Security
ndash Free membership
ndash httpsmsisaccisecurityorg
bull Financial Services Information Sharing and Analysis Center FS-
ISAC)
ndash A global financial industrys resource for cyber and threat intelligence analysis
and sharing
ndash Requires a membership fee
ndash httpswwwfsisaccom
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
The threat landscape
Non-target specific
Employees
Terrorists
Hacktivists
Organized crime
Natural disasters
Nation states
Competitors
People
Processes
Technology
Threat actors Attack vectors Threat
targets
IP
Card data
PII
Money
Reputation
Commercial info
Malware
Web attacks
Denial of service
Social engineering
Exploit kits
Ransomware
Etc
Threat types
Identifying cyber threats
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Resources for threat alerts
bull Multi-State Information Sharing and Analysis Center (MS-ISAC)
ndash Provides alerts to current attacks and threats
ndash Partners with the Department of Homeland Security
ndash Free membership
ndash httpsmsisaccisecurityorg
bull Financial Services Information Sharing and Analysis Center FS-
ISAC)
ndash A global financial industrys resource for cyber and threat intelligence analysis
and sharing
ndash Requires a membership fee
ndash httpswwwfsisaccom
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Resources for threat alerts
bull Multi-State Information Sharing and Analysis Center (MS-ISAC)
ndash Provides alerts to current attacks and threats
ndash Partners with the Department of Homeland Security
ndash Free membership
ndash httpsmsisaccisecurityorg
bull Financial Services Information Sharing and Analysis Center FS-
ISAC)
ndash A global financial industrys resource for cyber and threat intelligence analysis
and sharing
ndash Requires a membership fee
ndash httpswwwfsisaccom
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Incorporating controls
bull Cybersecurity compliance must
support compliance with
appropriate rules and regulations
as well as organizational policies
and procedures by
ndash identifying risks
ndash preventing risks though the design
and implementation of controls
ndash monitoring and reporting on the
effectiveness of those controls
ndash resolving compliance difficulties as
they occur
ndash advising and training
Physical Personnel
Procedural ProductTechnical
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Annex A 14 control categories
5 Infosec policies
6 Organization of infosec 7 Human resources security
8 Asset management 9 Access control
12 Operations security
14 System acq dev amp
mtnce
16 Infosec incident management 17 Infosec aspects of BC mgmt
18 Compliance
11 Physical and environmental sec
15 Supplier relationships
10 Cryptography
13 Comms security
114 CONTROLS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Maintaining an audit trail to include
responses to and detection of
cybersecurity events (Section 50006)
bull Each Covered Entity shall securely maintain systems that to the
extent applicable and based on its risk assessment
ndash are designed to reconstruct material financial transactions sufficient to
support normal operations and obligations for not fewer than five years
ndash include audit trails designed to detect and respond to cybersecurity
events that have a reasonable likelihood of materially harming any
material part of the normal operations for not fewer than three years
Maintain 5 years Maintain 3 years
Material financial transactions Audit trails of cybersecurity events
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Best-practice cyber risk management
ISO 27001 and vsRisk
bull Encompassing people processes and technology ISO 27001rsquos enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way
bull ISO 27001ndash Internationally recognized standardndash Best-practice solutionndash Substantial ecosystem of implementersndash Coordinates multiple legal and contractual compliance requirementsndash Built around business-focused risk assessmentndash Balances confidentiality integrity availabilityndash Achieve certification in a timely and cost-effective manner
bull vsRisktrade software ndash Gives you a clear picture of your risks and threatsndash Providing a framework to start your cybersecurity programndash Save time effort and expense
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
ISO 27000x family of standards
0
to
3
4
to
10
Annex A A5
to
Annex A A18
Annex B
1
to
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Security hellip
bull Control objectives
bull Controls
Introduction
Application
Terms and definitions
Security hellip
bull Control objectives
bull Controls
Introduction
Scope and norm ref
Terms and definitions
Structure and risk ass
Bibliography
Control
Implementation
guidance
Other info
ISO 270012013
ISO 270002016
ISO 270022013
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Risk assessment software
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
vsRisktrade (v2x)
NIST PCI DSS
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Valuable resources
bull Free green papers
NYDFS Cybersecurity Requirements
ordm Part 1 ndash The Regulation and the ISO 27001 standard
ordm Part 2 ndash Mapped alignment with ISO 27001
bull More information on ISO 27001 and the Regulationordm httpswwwitgovernanceusacomiso27001-nydfs-cybersecurity
bull Risk assessment and ISO 27001ordm httpswwwitgovernanceusacomrisk_assessments
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
IT Governance Ltd One-stop shop
All verticals all sectors all organizational sizes
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Books standards training and tools
bull New York DFS Cybersecurity amp ISO 27001
Certified ISMS online trainingndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Foundation
ndash New York DFS Cybersecurity amp ISO 27001 Certified ISMS Lead Implementer
bull ISO 27001 Cybersecurity Documentation Toolkitndash httpswwwitgovernanceusacomshopproductiso-27001-
cybersecurity-documentation-toolkit
bull vsRisktrade ndash risk assessment softwarendash httpswwwitgovernanceusacomshopProductvsrisk-standalone-basic
bull ISO 27001 standardsndash ISOIEC 27001 2013 (ISO 27001 Standard) ISMS Requirements
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Join in the conversation
bull Subscribe to our IT Governance LinkedIn group
NYDFS Cybersecurity Requirementshttpswwwlinkedincomgroups8598504
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers
TM
wwwitgoverrnanceusacom
Copyright IT Governance Ltd 2017 ndash v10
Questions and answers