What is the 23 NYCRR Part 500?

NYDFS released new Cybersecurity Requirements guidelines on March 1, 2017, defined under 23 NYCRR Part 500 which affected licensed lenders, state-chartered banks, trust companies, service contract providers, private bankers, mortgage companies, insurance firms doing business in New York, non-U.S. banks licensed to operate in New York, and many other organizations to comply with these additional Cybersecurity Requirements.

These NYDFS guidelines focus more on a cybersecurity program risk assessment which determines an entity’s best practices and policies to mitigate security risks. Identity and access management in the form of Multi-Factor Authentication (MFA) or equivalent measures, is now required by the NYDFS. Specifically, section 500.1 defines MFA as follows:

“Multi-Factor Authentication means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; or (2) Possession factors, such as a token or text message on a mobile phone; or (3) Inherence factors, such as a biometric characteristic.”

Additional sections that are pertinent to effective IAM include:

“Risk-Based Authentication means any risk-based system of authentication that detects anomalies or changes in the normal use patterns of a Person and requires additional verification of the Person’s identity when such deviations or changes are detected, such as through the use of challenge questions.”

NYDFS also describes how each Covered Entity needs to implement and maintain cybersecurity policies. One of the areas explicitly covered as part of the cybersecurity policies relates to access controls and identity management. Covered Entities must prove they have effective IAM measures in place to eliminate or reduce unauthorized access to sensitive information by hackers, phishers, insiders, or third parties.

According to these new guidelines by the  NYDFS, IAM becomes the most important to protect huge customer and business information. So implementing MFA, Lifecycle Management and other solutions can help organizations to ensure that they comply with these new guidelines.

Why is 23 NYCRR Part 500 needed?

 To prevent data breaches, cyber security threats & unauthorized access. These guidelines help organizations secure their environment from different cyber security threats to protect all types of data.

How can miniOrange help you?

Regulation Requirement How miniOrange can help
500.02- Cybersecurity Program,  (b)(1)–Covered Entities must identify and assess internal/external cybersecurity risks • miniOrange provides detailed data reporting of all different types of authentications done across cloud, mobile, web and on-premise applications.  

• miniorange’s system also detects suspicious login/location/user etc. and forces such anomalous events to authenticate again through multiple ways.

500.03- Cybersecurity Policy
500.06 – Audit trail, (a)(1) – logging, (a)(2)–a Covered Entity’s audit trails must be designed to detect and respond to cybersecurity suspicious events • miniOrange provides detailed data reporting of all different types of authentications done across cloud, mobile, web and on-premise applications.  

• miniorange’s system also detects suspicious login/location/user etc. and forces such anomalous events to authenticate again through multiple ways.

Admin or Super-admins can take action based on suspicious detected events, such as prompting for step-up authentication, limiting or revoking access, changing user group membership, and more.

500.07- Access Privileges- Covered Entity shall limit user access to Nonpublic Information and shall periodically review such access privileges • Sophisticated lifecycle management ensures the permitted level of access to the right applications.

• Covered entities can easily set access and entitlement rules based on attributes, such as user group membership.

• miniOrange provides visibility into who has access to which data via simple access governance that offers the ability to see all users who have access to specific applications.

500.09- Risk Assessment by covered entities  • miniOrange provides detailed data reporting of all different types of authentications done across cloud, mobile, web and on-premise applications.  

• miniorange’s system also detects suspicious login/location/user etc. and forces such anomalous events to authenticate again through multiple ways.

500.12- Multi-Factor Authentication • miniOrange provides 15+ MFA methods including adaptive MFA for intelligent, contextual access based on user location and device attributes.

• miniOrange’s flexible policy framework allows for step-up authentication based on risk-based user or device context such as anomalous location, brute force attempts, etc.

• miniOrange’s flexible and granular policy framework allows different MFA policies for different user types including admins, users, and third parties (contractors and partners, etc.).

• miniOrange’s multiple network zone support allows policies to be defined for access from outside your firm’s network.

500.14- Training and Monitoring- Covered Entity shall implement risk-based policies, procedures and controls designed to monitor the activity  provide regular cybersecurity awareness training • miniOrange’s detailed data reporting of all different types of authentications done across cloud, mobile, web and on-premise applications which also detects suspicious login/location/user etc. and forces such anomalous events to authenticate again through multiple ways.

• Anomalous events are surfaced in the syslog and include brute force detections, anomalous login/location/client detections, low reputation network login detections, and more.

 

miniOrange provides Identity and Access Management services quickly for the management of information such as users, organizations, devices, services, etc., and in a very cost-effective manner to its customers.

With miniOrange IAM systems, you do not need to worry about administrative overheads. We provide IAM services, which take care of your security, administrative, access management and help you focus on your core business.

  • The identity and access management policy, including the responsibilities and accountabilities, should be defined, approved, and implemented.
    • An Identity and access management solution which is highly flexible to fit into any organization’s policy or workflow as per the customer requirements and existing setup.
    • Centralized, simple management and synchronization of identities for users, devices, and things. Can integrate with any system and enhance authentication and authorization capabilities with multiple protocols and connectors for web apps, mobile apps, thick-client applications, etc. Highly flexible and therefore able to fit almost any use case.
  • Compliance with the identity and access policy should be monitored.
    • miniOrange generates real-time reports for high-level usage summary, per user summary, user authentication, active usage report, etc. to monitor the user activities across the applications.
    • Logs are saved for monitoring, debugging issues, recovery, etc. miniOrange can integrate with your SIEM tools for real-time monitoring of the organization’s Information security systems.
  • The effectiveness of the cybersecurity controls within the identity and access management policy should be measured and periodically evaluated.
    • All users are given controlled access to the applications with the help of multi-factor authentication during Single Sign-on. miniOrange provides multiple parameters for adaptive authentication such as restriction based on IP, device, location, time for proper evaluation of user before giving access.
    • The administrator can receive updates/ alerts for any behavior change of the user.
    • You can create multiple groups for different levels of users and have access policies depending on the groups. Any new user can be added to the appropriate groups and he will be provisioned to the allowed application of that specific group.
    • Any inappropriate access can be easily revoked at any point in time.
  • The identity and access management policy should include:
    • business requirements for access control (i.e., need-to-have and need-to-know);
      • You can create user/group access policies for your applications based on the role and requirements of each user/group.
      • Users can access their respective applications with one click from the miniOrange dashboard without having to log in every time.
    • user access management (e.g., joiners, movers, leavers):
      • Users can be added to the system with any of the following methods –
        • Manual addition of Users/Vendors.
        • Bulk upload of users and groups using the CSV upload method.
        • Connect to your existing Identity provider ( eg. Okta, OneLogin, Keycloak, ADFS, etc.)
        • Connect to AD/LDAP
        • Use your existing database as an identity store ( My-SQL, MS-SQL, etc.)
        • Provision your users through your HR management system.
  • To streamline the process of assigning and managing the user access rights, miniOrange provides an automated user access management system. This will aid in time management and allow administrators to take faster and quick action against any security breaches and prevent improper user activity.centralization of the identity and access management function;
  • Provisioning and deprovisioning are handled in one place using a centralized identity and access management system. IT resources are centrally controlled with miniOrange IAM services, and users can access all apps and tools from a single dashboard with the convenience of a single sign-on. Click to learn more multi-factor authentication for sensitive and critical systems and profiles;
  • miniOrange provides 15+ authentication methods and solutions for various use cases. This additional layer prevents unauthorized persons from the resources, even if they know your username and password, thus protecting sensitive and critical information. Click to learn more. privileged and remote access management, which should address:
    • the allocation and restricted use of privileged and remote access, specifying:
      • multi-factor authentication should be used for all remote access;
        • MFA provides an extra layer of security for remote access. MFA for remote access will prevent unauthorized individuals from accessing critical data while also improving the organization’s overall security strategy.multi-factor authentication should be used for privilege access on critical systems based on a risk assessment;

miniOrange provides the facility of multi-factor authentication to be used on privileged access. This secures your repositories, logs, and administrator account by ensuring that only authorized workers have access to your privileged account passwords.

References

Leave a Reply

Your email address will not be published. Required fields are marked *