<img src="http://www.shrfbdg004.com/63997.png" style="display:none;">

New Cybersecurity Regulations to Impact Financial Firms on March 1, 2017

Posted by Joe Vigorito on 1/18/17 3:32 PM

On December 28, 2016, the Department of Financial Services (NYSDFS) released a revised version of the first-in-nation “Cybersecurity Requirements for Financial Services Companies” (The Revised Proposed Rules), initially issued on September 13, 2016.

Amidst the surge in global attacks on financial institutions and corporate computer networks, NYS lowered the bar for banks, credit unions, insurers, and mortgage companies to comply with the new rule, that if adopted, goes into effect on March 1, 2017. The proposed rules only apply to “covered entities”, defined as, “any Person operating under or required to operate under a license, registration charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.” 

> > > Click here to find out if your institution is a covered entity.     

Your People and Processes Need to Align to Your IT Security Policy

Information Security Policies are one of the strongest preventative tools against cyberattacks. They define appropriate permissible behavior among all parties who access data in your enterprise.

  • Policies outline what system, tools, and processes can be used. Anything not mentioned in the policy, cannot be used.

  • Policies describe how the organization monitors individual adherence.

  • Policies define areas of risk and how that risk will be mitigated.

  • Policies protect against legal and regulatory jeopardy to the organization.

  • Policies provide a foundation for HR/Legal action.

  • Policies must be supported by senior leadership in a visible way.

Information security can actually be broken out into a plethora of smaller, modular policies, focusing on many different aspects. 

When combined with Security Awareness and Security Assessment programs like penetration testing, organizations create a holistic preventative program with significant efficacy. Alhough often overlooked in policies, organizations should define and authorize consequence management processes when the policy is not adhered to those it covers.

IT Policy Best Practices

When creating a policy, be sure to follow the best practices outlined below and seek the counsel of a trusted security partner who can review it and make additional recommendations.

1. Use Policy Templates

A Security Policy format should always look the same. Using templates helps in crafting, understanding, and updating. Here is a solid template to use:

  1. Policy Category

  2. Company

  3. Policy Title

  4. Effective Date

  5. Purpose - What is the reason for the policy?

  6. Scope - Who does the policy apply to, and when?

  7. Policy - Stipulate the secure state or practice; Describe the mandated behavior

  8. Regulatory Requirement - if applicable 

  9. Consequence Management - What happens if non-compliance occurs?

  10. Reference or Other Relevant Policies or Standards

  11. Version History

  12. Ownership - Include specific point people for follow up and questions

2. Policy Review Process

It is important to define your development and review process for your suite of policies. Here are some best practice points:

  • Have a method to capture new policy requirements based on new technologies or new business models.

  • Set an annual sequence for review of all policies.

  • Set a protocol for gaining input from all stakeholders. Get early buy-in so policies do not become stagnant awaiting change.

  • Define your conditions for policy change and stay adhered to them. It should be hard to change a policy, not easy. Do not change them on a whim. 

  • Have a waiver policy. Some policies may be forward looking. Have a waiver that can be requested and issued to a user or group of users for a limited amount of time.

  • Reissue your revised policy on its anniversary date each year, rather than varying the update periods.

  • Know exactly who will craft and approve changes to the policy in advance.

3. Policy Authorship

Information Security policies should evidence the following:

  • A thorough understanding of the business.

  • Focus on assessing risk objectively, not restricting personnel from being able to use systems fluently.

  • Complete, but concise documents.

  • Allow flexibility for innovation and do not stifle creativity so long as spirit of the policy is retained.

  • Drive desired behavior but do not cause excessive fear and procrastination.

  • Identify best practices vs. required practices.

  • Create reasonable target dates for any portion of the policy that is forward looking, allowing for temporary waivers.

  • Written in clear, non-technical language. Policies can be challenged if written in jargon people are not trained in or that is not clearly explained.

  • They are modular, no policy should intrude or say something contradictory to any another policy.

When properly crafted and maintained, an organization has a strong pillar on which to build the balance of the preventative segment of their information security program.


Let's Finish Your IT Security Policy  We can perform a policy review and provide recommendations to fill in any gaps  you may have.   We're Here to Help 

Topics: Security

Related posts

Power Automation and Intelligence with your IT Network  Nunc vel tempor mollis, odio mauris vulputate nisi, non pulvinar urna enim Download Now

the author

Joe Vigorito

Joe is the Director of Mobility & Security at Annese and is based in the Brewster office. With more than 20 years of experience in the industry, Joe is a highly certified and seasoned security professional and is a member of the Fellow & Diplomate (American Board for Certification in Homeland Security), ISSA, IEEE, BICSI, and FBI-Infragard. In his spare time, you may find Joe cooking up something in the kitchen or providing assistance to Wounded Warriors Project and Fisher House.

Post a Comment