What is a Third Party Service Provider Security Policy?

23 NYCRR 500 requires Covered Entities to implement a Third Party Service Provider Security Policy in Section 11. In reality, there is more to the requirement than simply crafting a policy. There are several other requirements Covered Entities must contend with in relation to Third Party Service Providers: Identification and initial risk assessment of third…

What is Training & Monitoring?

Section 14 of 23 NYCRR500 is broken into two seemingly unrelated sections – training and monitoring. Section 14(a) focuses on monitoring requirements and Section 14(b) focuses on training requirements. Section 14(a) is anything but prescriptive and essentially requires Covered Entities to implement policies, procedures and controls to monitor their network activity to detect unauthorized access…

What is Data Retention?

The company I worked for previously is a world leader in data retention. The cornerstone of their business is helping companies conduct thorough data inventories to identify what sensitive and regulated data they process. From there, they help clients determine what information needs to be deleted, destroyed or purged – they help companies stand up…

What is Multi-Factor Authentication?

Under the 23 NYCRR 500, each Covered Entity must implement “effective controls” based on its Risk Assessment to protect against unauthorized access to Nonpublic Information. This is a rather imprecise call-to-action on its own, but NY DFS provides further clarity as to its expectations. Specifically, the implication is that multi-factor authentication is expected. So, what…

What is a CISO?

Section 4 of 23 NYCRR 500 requires covered entities to “designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy.” The regulation refers to this individual as a Chief Information Security Officer, or CISO for short. This requirement may seem burdensome for a small company like…