Ready for the New Global NY DFS Cyber Security Requirements?

January 25, 2017 |
Seal of the New York State Department of Financial Services

New cyber security regulations NY DFS Rule 23 NYCRR 500 take effect March 1, 2017 and are the first such regulations proposed by a state level entity in the nation. The new regulations require cyber security protections to include:

• Cyber security policy (Section 500.3 (a)(7)
• Audit trail (Section 500.06 (a)(2))
• Access privileges (Section 500.07)
• Third-party access controls (Section 500.11 (b)(1))
• Multi-factor authentication (Section 500.12 (b))
• Training and monitoring (Section 500.14 (a)(1))
• Encryption of nonpublic information (Section 500.15 (a)(1))

These regulations will require financial institutions and insurance companies of a certain size to establish and maintain a cyber security program to protect consumers and ensure the safety of those regulated by the Department of Financial Services (DFS). Also, companies that are third party vendors that do business with those entities covered by the DFS regulations will also be required to comply with the standard (as part of the primary company’s vendor due diligence program).

How a Software-Defined Perimeter Addresses the Requirements

A Software-Defined Perimeter ensures that all endpoints attempting to access a given infrastructure are authenticated and authorized prior to being able to access any resources on the network. All unauthorized network resources are made inaccessible. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users.

A Software-Defined Perimeter overcomes the constraints of traditional tools by effectively creating a dynamic, individualized perimeter for each user – a network ‘segment of one’.

Cryptzone’s Software-Defined Perimeter Solution

Cryptzone’s AppGate Software-Defined Perimeter (SDP) solution addresses many of the new NY DFS Rule 23 NYCRR 500 requirements:

  • Risk-Based Authentication: In addition to Multi-Factor Authentication, AppGate uses a Risk-Based Authentication (RBA) model, using real-time condition checking to discover changes in users and device attributes, and requiring reauthentication if anomalies or changes are detected. Most traditional user and network access control (NAC) tools do not have RBA as part of their core abilities, while it is a primary tenant of AppGate’s authentication model.
  • Granular Access Control: AppGate can be configured to provide granular access control to nonpublic information networks and resources. Even system administrators can be prohibited from accessing certain resources without a trouble ticket or escalated authorization.
  • Auditing and Logging: All events managed by AppGate are logged. These logs can be monitored within AppGate, or exported to any enterprise SIEM solution for event correlation and management. These logs can also be used to generate audit evidence of compliance, using the AppGate reporting tool or thirds party reporting system.

Cryptzone can apply the user-centric, policy-based security controls necessary to meet these new requirements uniformly across traditional, cloud or hybrid environments – removing variability, complexity and costs associated with today’s point solutions.

NY DFS Cyber Security Regulation – AppGate Specific Mapping

AppGate addresses seven of the requirements on cyber security policy, audit trails, access privileges, third-party service provider security policy, multi-factor authentication, training and monitoring and encryption of nonpublic information.

For a breakdown of how AppGate’s Software-Defined Perimeter maps to these requirements click here.

You have less than two months – don’t go it alone.

Back to Blog Home

Leo Taddeo

Leo Taddeo
Chief Security Officer

Leo Taddeo is the Chief Security Officer (CSO) for Cryptzone, a provider of dynamic, context-aware network, application and content security solutions. Taddeo, former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office, is responsible for analyzing the cybersecurity market to help shape Cryptzone’s vision for security solutions. Taddeo provides deep domain insight into the techniques, tactics and procedures used by cybercriminals, to help Cryptzone continue to develop disruptive solutions that enable customers to defend against advanced threats and breaches.

Prior to Cryptzone, Taddeo led more than 400 agents and professional support staff in cyber investigations, surveillance operations, information technology support and crisis management for the FBI. He oversaw high profile cases, including Silk Road, Blackshades and JP Morgan.

Previously, Taddeo served as a Section Chief in the International Operations Division, where he managed FBI operations in Africa, Asia and the Middle East. Taddeo has held various roles of increasing responsibilities in the field, including supervising a joint FBI/New York City Police Department Joint Terrorism Task Force and serving as the Legal Attaché in Rome, Italy.

After receiving his degree in applied physics from Rensselaer Polytechnic Institute in 1987, Taddeo served as a tank officer in the U.S. Marine Corps. In 1991, he was awarded a Purple Heart and Bronze Star Medal for valor for service in the Gulf War. Taddeo then earned a Juris Doctor from St. John’s University and joined the New York law firm of Mound, Cotton & Wollan, where he practiced civil litigation until entering the FBI.

Taddeo is a graduate of the CISO Executive Program at Carnegie Mellon University. He also maintains the Certified Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler certifications.

Leave a Reply

Your email address will not be published. Required fields are marked *