Section 14 of 23 NYCRR500 is broken into two seemingly unrelated sections – training and monitoring. Section 14(a) focuses on monitoring requirements and Section 14(b) focuses on training requirements.
Section 14(a) is anything but prescriptive and essentially requires Covered Entities to implement policies, procedures and controls to monitor their network activity to detect unauthorized access or use of NPI by users. The word ‘monitoring’ is not defined in the regulation but could mean a number of things including antivirus software, CCTV cameras, key cards, network logs and the list goes on. Basically, you need to ensure that you are keeping track of who has access to what data and ensure that it is appropriate.
Section 14(b) is no more prescriptive, but a bit less esoteric, requiring Covered Entities to provide regular cybersecurity awareness training for all personnel. The main requirement is that this training should be tailored to the risks and vulnerabilities identified in the periodic Risk Assessment, prescribed in Section 9.
To make this training and awareness defensible, it should be periodic and continuous. Humans (i.e., employees) are the weakest link in cybersecurity. Be sure to conduct such training at least annually, and more often if material changes take place in the business. And document everything – who attended the training, what was covered, etc.
Section 14 is not required under the most common exemption, but training and monitoring are important elements of an effective cybersecurity program and ought to be considered carefully, even if you’re not currently required to implement them.