The New York State Department of Financial Services: The Evolution of a Regulation – Part 2

Image

In part 1 of this series about the proposed regulation promulgated by the New York State Department of Financial Services, the evolution of some of the administrative requirements were explored. The exemptions, appointment of a CISO and the utilization of cyber security personnel all changed from the originally proposed regulation. In this part, some of the technical aspects of the regulations will be examined. One of the first technical requirements is that of annual penetration tests and bi-annual vulnerability scans. The time frame on the original regulation was also for annual pen tests. However, it also called for quarterly vulnerability scans. Another interesting point that runs throughout the entire revised regulation is that many of the requirements are now aligned “in accordance with the Covered Entity’s Risk Assessment.” Much of the revised regulation is influenced by language such as a “periodic” risk assessment that “shall be updated as reasonably necessary.” The original regulation called for an annual risk assessment. One has to wonder if the ISACA group did not have a strong influence in softening the requirement in this revision. Some other language in the regulation that specifies “material” risks and “material” events also signal a strong ISACA organization influence. This is mere inference on my part, but it is somewhat hard to avoid. Another weakened technical aspect that would make most infosec professionals lachrymose is the new multi-factor statements regarding access to non-public information or information systems. The original regulation stated very clearly that multi-factor was required for all remote access, all privileged access to database servers that access non-public information. The new revision not only does away with the requirement for multi-factor authentication but also allows the CISO to approve “in writing the use of reasonably equivalent or more secure access controls.” Multi-factor is one of the best methods to add an extra layer of security for notoriously weak passwords, and with so many excellent and easy-to-implement methods, such as those offered by Yubico and DUO security, it is a shame to see this requirement so diluted. Another part of the revised regulation that was a bit shocking was the relaxed approach to encryption for data in transit and data at rest. The original regulation included strict requirements and time periods for the encryption of data, whereas the revision allows the use of “compensating controls” for encryption as long as the CISO has reviewed and approved those compensating controls. In part one of this series, I mentioned the idea of a CISO-for-hire. Apparently, that lucky designee is going to have a lot of explaining to do. I asked a respected auditing firm what compensating control would be sufficient in place of encryption. I laughed when one of the suggested compensating controls was “encrypting the sensitive data.” One need not study formal logic to recognize the flaw in that statement. One other fascinating technical requirement is the call for the maintenance of a five-year audit trail to reconstruct material financial transactions and a five-year audit trail to detect and respond to Cybersecurity Events. While it is not unusual to maintain financial records for five years as a regulatory requirement, the ability to maintain systems that can reconstruct five-years of transactions sounds like a storage nightmare for all but the largest organizations. I expect to see a change in this requirement in the next iteration of this regulation. In the upcoming final part of this series, I will wrap up some of the other new requirements that are taking shape in this new regulation and why all infosec professionals should be watching the developments of this regulation.   Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.