23 NYCRR 500 requires that many Covered Entities conduct “annual penetration testing” as part of their Cybersecurity Program. Sounds boring, right?
Actually, maybe less so than you think. Penetration testing is the process of testing to see if systems, applications and networks are well protected from hackers. In the world of cybersecurity, penetration testers (also known as “white hat” hackers) are revered – think Luke Skywalker in Star Wars: Return of the Jedi.
Quite literally, these guys and gals’ jobs consist of poking around your company to see if they can break into an application or network and access sensitive data. Or perhaps shut down a system entirely. Or otherwise wreak havoc. Their job is to play the part of the bad guys to help companies better protect themselves. The objective is to identify security weaknesses and report on them so fixes can be implemented.
Today, companies are inundated with attacks, ranging from foreign adversaries (such as China or Russia) to nerdy kids in their parents’ basement. Either way, the risks are real and the consequences for being unprepared are enormous.
23 NYCRR 500 makes it a requirement to have someone (it does not specify if it must be a third party) test your information systems to ensure that they are not easily broken into and inappropriately accessed. This needs to be done on an annual basis.
Many smaller businesses are exempt from this requirement, so be sure to evaluate your needs before diving in headfirst.