Home    Regulatory Compliance    23 NYCRR 500 Compliance

Overview

23 NYCRR 500 is a cybersecurity regulation issued by the New York State Department of Financial Services (NYDFS) that aims to protect customer information and the information systems of regulated entities operating in the financial services industry. The regulation establishes comprehensive requirements for cybersecurity programs, risk assessments, third-party vendor management, incident response, and more. Compliance with 23 NYCRR 500 is mandatory for covered entities operating in New York. 

For more information, refer to 23 NYCRR 500 publication:
https://www.governor.ny.gov/sites/default/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf

Netsurion Managed XDR for 23 NYCRR 500 Compliance 

Netsurion Managed XDR combines SIEM, log management, proactive threat hunting, and guided incident response to effectively meet the requirements outlined in 23 NYCRR 500 Compliance. With comprehensive monitoring, analysis, and reporting capabilities organizations can identify and manage their assets, establish access controls, protect resources, and respond promptly to incidents. 

Using Netsurion Managed XDR to meet 23 NYCRR 500 Requirements

Section 500.02 Cybersecurity Program

Must be established, maintained, and designed to ensure Confidentiality, Integrity and Availability of your systems.

IDENTIFY: Internal & external cyber risks, and nonpublic information in your network who and how it is accessed

Asset Management

The data, personnel, devices, systems and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.

Netsurion Open XDR provides support by collecting and analyzing all account management, access granting/revoking, and access/authentication logs.

Netsurion Open XDR correlation rules provide alerting on account authentication failures. Netsurion Open XDR investigations, reports and details provide evidence of system account management activity (account creation, deletion, and modification), access granting/revoking activity, and account access/ authentication activity.Lastly, Netsurion Open XDR investigations provide evidence of authorized/unauthorized network access.

Governance

The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental and operational requirements are understood and inform the management of cybersecurity risk.

Netsurion Open XDR provides support for this requirement by collecting and analyzing all account management and access/ authentication logs. Netsurion Open XDR correlation rules provide alerting on account authentication failures. Netsurion Open XDR investigations, reports, and details provide evidence of account management activity (account creation, deletion, and modification) and account access/authentication activity to support efforts of enforcing security policies within the organization.

Risk Assessment

The organization understands the cybersecurity risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals.

Netsurion Open XDR provides support for this requirement by collecting and analyzing all suspicious network activity or activities indicative of cybersecurity risks.

Netsurion Open XDR correlation rules provide alerting on events indicative of potential cybersecurity threats or attacks on the network. Netsurion Open XDR investigations, reports, and details provide evidence of cybersecurity events in support of early detection and incident response.

PROTECT: Use 3 lines of defense with policy and procedure implementation to protect systems and the non-public information from unauthorized access

Access Controls

Access to assets and associated facilities is limited to authorized users, processes or devices, and to authorized activities and transactions.

Netsurion Open XDR supports this requirement by collecting and analyzing all account management, network access/ authentication logs, remote and physical access. Netsurion Open XDR correlation rules provide alerting on account authentication failures. Netsurion Open XDR investigations, reports, and details provide evidence of account access/authentication activity.

Awareness and Training

The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures and agreements.

Netsurion Open XDR supports this requirement by collecting and analyzing all third-party accounts or process activities within the environment to ensure third parties are performing activities according to defined roles and responsibilities. Netsurion Open XDR correlation rules provide alerting on account authentication failures. Netsurion Open XDR investigations, reports, and details provide evidence of vendor account management and authentication (success/failures) activities.

Data Security

Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

Netsurion Open XDR supports this requirement by collecting and analyzing all system logs relating to the protection of data integrity, availability and mobility.

Netsurion Open XDR’s Change Audit tracks file changes and logs the connection and disconnection of external data devices to the host computer where the Agent is running. Netsurion Open XDR also monitors and logs the transmission of files to an external storage device. Netsurion Open XDR can be configured to protect against external data device connections by ejecting specified devices upon detection. External USB drive storage devices include Flash/RAM drives and CD/DVD drives. Netsurion Open XDR correlation rules provide alerting on remote account authentication failures. Netsurion Open XDR investigations, reports, and details provide evidence of remote account access/authentication activity.

Information Protection Processes and Procedures

Security policies (that address purpose, scope, roles, responsibilities, management commitment and coordination among organizational entities), processes and procedures are maintained and used to manage protection of information systems and assets.

Netsurion Open XDR provides support by collecting and analyzing all logs relating to change management, backups, and those in support of incident response plans. Netsurion Open XDR correlation rules provide alerting on account management activities. Netsurion Open XDR investigations, reports, and details provide evidence of account management and authentication (success/failures) activities.

Maintenance

Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.

Netsurion Open XDR provides support by collecting and analyzing all logs relating to critical and error conditions within the environment. Netsurion Open XDR correlation rules provide alerting on critical and error conditions within the environment. Netsurion Open XDR investigations, reports, and details provide evidence of environment conditions as well as process and system start-ups/shut-downs.

Protective Technology

Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures and agreements.

Netsurion Open XDR provides support by collecting logs relating to technical security solution access management and authentication activities. Further, with the use of Netsurion Open XDR allows for monitoring of removable media and other audit logging events.

Netsurion Open XDR correlation rules provide alerting on audit logging events (log cleared, stopped). Lastly, Netsurion Open XDR investigations, reports, and details provide evidence around the aforementioned activities.

RECOVER: Recover from cybersecurity events and restore normal operations and services

Improvements

Recovery planning and processes are improved by incorporating lessons learned into future activities.

Netsurion Open XDR provides support by collecting and analyzing logs relating to recovery operations. Netsurion Open XDR reports provide evidence around the recovery operation events.

Communications

Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims and vendors.

Netsurion Open XDR provides support by collecting and analyzing logs relating to recovery operations. Netsurion Open XDR reports provide evidence around the recovery operation events.

Section 500.05 Penetration Testing and Vulnerability Assessments

The Cybersecurity Program shall minimally include: Penetration Testing performed at least annually Vulnerability Assessment performed at least quarterly.

Regarding Penetration Testing

  • Targets systems and users to identify weaknesses in business processes and technical controls.
  • Mimics a threat source’s search for and exploitation of vulnerabilities to demonstrate a potential for loss.
  • Management determines the level and types of tests employed to ensure effective and comprehensive coverage.
  • The frequency and scope of a penetration test should be a function of the level of assurance needed by the Firm and determined by the risk assessment process.
  • Test can be performed internally by independent groups, internally by the organizational unit, or by an independent third party.
  • Management should determine the level of independence required of the test.

The Netsurion Open XDR Vulnerability Assessment Service is a scanning service that assists an organization identify and remediate vulnerabilities within their IT environment before hackers and thieves gain access to, modify, or destroy confidential information. Vulnerability Scanning services help our clients manage their vulnerabilities more rapidly and cost effectively. All vulnerabilities that are identified are presented to the client together with an assessment of impact and recommendations for mitigation or a technical solution. Vulnerability scans can be a one-time event or can be scheduled at an agreed-upon cycle (i.e., weekly, monthly, quarterly, bi-yearly, etc.).

Regarding Vulnerability Assessments

  • Process that defines, identifies, and classifies the vulnerabilities in your computer network.
  • Similar to penetration testing, the frequency of the performance of vulnerability assessments should be determined by the risk management process.
  • Scanners/tools can be run continuously or periodically, generating metrics that are reported and acted upon.
  • Can be performed internally or by external testers, but they are often run as part of internal testing processes.

The Netsurion Open XDR Vulnerability Assessment Service is a scanning service that assists an organization identify and remediate vulnerabilities within their IT environment before hackers and thieves gain access to, modify, or destroy confidential information. Vulnerability Scanning services help our clients manage their vulnerabilities more rapidly and cost effectively. All vulnerabilities that are identified are presented to the client together with an assessment of impact and recommendations for mitigation or a technical solution. Vulnerability scans can be a one-time event or can be scheduled at an agreed-upon cycle (i.e., weekly, monthly, quarterly, bi-yearly, etc.).

Section 500.06 Audit Trail

The cybersecurity program for each Firm shall, at a minimum, include implementing and maintaining audit trail systems that:

Requirements

  • Track and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting necessary to enable the Firm to detect and respond to a Cybersecurity Event.
  • Track and maintain data logging of all privileged Authorized User access to critical systems.
  • Protect the integrity of data stored and maintained as part of any audit trail from alteration or tampering.
  • Protect the integrity of hardware from alteration or tampering, including by limiting electronic.
  • Physical access permissions to hardware and maintaining logs of physical access to hardware that allows for event reconstruction.
  • Log system events including, at a minimum, access and alterations made to the audit trail systems by the systems or by an Authorized User, and all system administrator functions performed on the systems; Maintain records produced as part of the audit trail for not fewer than 6 years.

Netsurion Open XDR makes it easy for you to comply with regulatory requirements for log data collection, review, archival, reporting and alerting, as well as file integrity monitoring (FIM).

Netsurion Open XDR also helps users realize efficiencies and new capabilities in the audit process. Some of the many capabilities of the Netsurion Open XDR solution that provide substantial assistance to compliance and audit challenges include:

  • Collecting and archiving cross-platform log data in real time
  • Compressing logs for efficient long-term storage
  • Simplifying search and retrieval of specific logs for analysis and forensic investigation
  • Automatically identifying important audit events and alerts appropriate individuals
  • Providing an easier and more affordable way to automate log & event management and file integrity monitoring for compliance Netsurion Open XDR protects its customers’ networks from insider threats and helps them meet specific requirements by allowing them to keep track of what their privileged users are doing. This includes business users with direct access to confidential data systems, as well as administrators with the ability to create and modify permissions, privileges and access to any device.

Privileged User Monitoring provides enormous value by delivering automated monitoring and secure and reliable access to what privileged users are doing when, and how they are doing it.

With Netsurion Open XDR you can immediately address and automate specific log data collection, review, archiving, reporting and alerting requirements as well as those requirements mandating File Integrity Monitoring.

Section 500.07 Access Privileges

The cybersecurity program for each Firm shall limit access privileges to Information Systems that provide access to Nonpublic Information solely to those individuals who require such access to such systems in order to perform their responsibilities and shall periodically review such access privileges.

Requirements

  • Track and maintain data that Management should develop a user access program to implement and administer physical and logical access controls to safeguard the Firm’s information assets and technology. This program should include the following elements:
  • Principle of least privilege, which recommends minimum user profile privileges for both physical and logical access based on job necessity.
  • Alignment of employee job descriptions to the user access program.
  • Requirements for business and application owners to define user profiles.
  • Ongoing reviews by business line and application owners to verify appropriate access based on job roles with changes reported on a timely basis to security administration personnel.
  • Timely notification from human resources to security administrators to adjust user access based on job changes, including terminations.
  • Periodic independent reviews that ensure effective administration of user access, both physical and logical.

Netsurion Open XDR’ s real-time, automated, centralized and secure collection of log data provides independent access to privileged user activity logs without relying on the privileged user for collection.

Netsurion Open XDR monitors privileged-user activity to reduce the risk of insider attacks. Provides a detailed audit trail of privileged-user activity across Microsoft Windows and Active Directory, UNIX and Linux environments. Delivers real-time alerting on suspicious behavior to provide immediate visibility to changes that could lead to a breach.

Section 500.09 Risk Assessment

At least annually, each Firm shall conduct a risk assessment of the Firm’s Information Systems. Such risk assessment shall be carried out in accordance with written policies and procedures and shall be documented in writing.

As part of such policies and procedures, each Firm shall include, at a minimum:

Requirements

  • Criteria for the evaluation and categorization of identified risks.
  • Criteria for the assessment of the Confidentiality, Integrity and Availability of the Firm’s Information Systems, including the adequacy of existing controls in the context of identified risks.
  • Requirements for documentation describing how identified risks will be mitigated or accepted based on the risk assessment, justifying such decisions in light of the risk assessment findings, and assigning accountability for the identified risks.

Netsurion Open XDR supports this requirement by collecting and analyzing all suspicious network activity or activities indicative of cybersecurity risks. Netsurion Open XDR correlation rules provide alerting on events indicative of potential cybersecurity threats or attacks on the network. Netsurion Open XDR investigations, reports, and details provide evidence of cybersecurity events in support of early detection and incident response.

Section 500.10 Cyber Security Personnel and Intelligence

In addition to the requirements set forth in 500.04(a), each Firm shall:

Requirements

  • Employ cybersecurity personnel sufficient to manage the Firm’s cybersecurity risks and to perform the core cybersecurity functions specified in section 500.02(b)(1)-(5);
  • Provide for and require all cybersecurity personnel to attend regular cybersecurity update and training sessions.
  • Require key cybersecurity personnel to take steps to stay abreast of changing cybersecurity threats and countermeasures.
  • A Firm may choose to utilize a qualified third party to assist in complying with the requirements set forth in this Part, subject to the requirements set forth in section 500.11.

Netsurion Open XDR, provides qualified cybersecurity personnel of the Covered Entity to perform services. Our staff are provided updates and training to maintain current knowledge. The regulation specifically encourages the use of qualified third parties to meet this requirement.

Section 500.11 Third Party Security Policy

Each Firm shall implement written policies and procedures (Vendor Management Policy and Procedures) designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, third parties doing business with the Firm. Such policies and procedures shall address, at a minimum, the following areas:

Requirements

  • The identification and risk assessment of third parties with access to systems or non-public information
  • Minimum cybersecurity practices required by third parties for them to do business with the firm
  • Due diligence processes to evaluate the adequacy of cybersecurity practices of third parties
  • Periodic assessment (i.e. annually) of third parties and continued adequacy of their cybersecurity practices.

Netsurion maintains detailed written policies based on a Risk Assessment.

Section 500.13 Limitations on Data Retention

Each Firm shall implement written policies and procedures (Vendor Management Policy and Procedures) designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, third parties doing business with the Firm. Such policies and procedures shall address, at a minimum, the following areas:

Requirements

As part of its cybersecurity program, each Firm shall include policies and procedures (Data Retention and Destruction Policy) for the timely destruction of any Nonpublic Information identified in 500.01(g) (2)-(4) that is no longer necessary for the provision of the products or services for which such information was provided to the Firm, except where such information is otherwise required to be retained by law or regulation.

The Netsurion Open XDR software solution supports auto purging of data past retention settings. This, in addition to the analyst’s active involvement, assures that data is securely disposed when it outlives its need.

Section 500.14 Training and Monitoring

Requirements

  • Implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users
  • Provide for and require all personnel to attend regular cybersecurity awareness training sessions that are updated to reflect risks
    identified by the Firm in its annual assessment of risks.

Netsurion Open XDR provides support by collecting and analyzing all account management, access granting/revoking, and access / authentication logs.

Netsurion Open XDR correlation rules provide alerting on account authentication failures. Netsurion Open XDR investigations, reports, and details provide evidence of system account management activity (account creation, deletion and modification), access granting/ revoking activity, and account access/authentication activity. Lastly, Netsurion Open XDR investigations provide evidence of authorized / unauthorized network access.