NYDFS Compliance

NYDFS Compliance

New York State Department of Financial Services (NYSDFS) CyberSecurity Requirements Compliance Assessment Exercise

STIGroup can conduct an assessment the relevant aspects of the target environment(s) for compliance with the NYSDFS proposed (23 NYCRR 500) “CyberSecurity Requirements for Financial Services Companies”. This process will be conducted via interview, documentation and data review, and system/environment inspection as appropriate to validate the required controls. Where feasible, the validation process will be combined with that conducted for Domain 3 of the FFIEC assessment exercise to maximize project efficiency. The process will be aligned with the current proposed standard as written (updates to subsequent revisions if released prior to or during this exercise will be taken into account as feasible), and the results report will be structured accordingly. All relevant sections of the proposed standard will be covered in this exercise:
a) (Section 500.2) CyberSecurity Program
b) (Section 500.3) CyberSecurity Policy
c) (Section 500.4) Chief Information Security Officer
d) (Section 500.5) Penetration Testing and Vulnerability Assessments
e) (Section 500.6) Audit Trail
f) (Section 500.7) Access Privileges
g) (Section 500.8) Application Security
h) (Section 500.9) Risk Assessment
i) (Section 500.10) CyberSecurity Personnel and Intelligence
j) (Section 500.11) Third Party Information Security Policy
k) (Section 500.12) Multi-Factor Authentication
l) (Section 500.13) Limitations on Data Retention
m) (Section 500.14) Training and Monitoring
n) (Section 500.15) Encryption of Nonpublic Information
o) (Section 500.16) Incident Response Plan

Gap Analysis and Remediation Planning

STIGroup will conduct internal working sessions, as well as working sessions relevant to your personnel and 3rd parties to specifically enumerate and prioritize the compliance gaps identified during the assessment processes. A structured and prioritized remediation plan will be developed to address the issues identified in a manner that maximizes budgetary and resource efficiencies while minimizing operational impact. The activities can include:
a) Key issues and Associated Risk
b) Prioritized Recommendations for Remediation
c) Strategic Considerations
d) Process and Budget Outline for Remediation
e) Results/Recommendations peer review and quality assurance