Achieve NYDFS Compliance
How cybersecurity asset management addresses the recent regulatory updates
On November 1, 2023, the New York State Department of Financial Services (NYDFS) introduced an update to its cybersecurity regulations (officially called "23 NYCRR 500" and occasionally simply referred to as the "NYDFS Cybersecurity Regulations"). The purpose of this regulation, which was first published in 2017, is to enhance cyber governance, mitigate risks, and protect New York businesses and consumers from cyber threats. In 2023 it was updated to add requirements around vulnerability management, asset management, and business continuity and disaster recovery planning along with other adjustments to the original regulations.
The regulations apply to “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies." It can also apply to third-party service providers who offer services to those organizations, depending on the nature of the relationship.
What is Cybersecurity Asset Management?
The primary goal of cybersecurity asset management is to gain a comprehensive understanding of an organization's digital assets to improve security and reduce risk. Effective cybersecurity asset management solutions enhance an organization's overall cybersecurity posture by providing a solid foundation for risk assessment, vulnerability management, access control, and incident response. It helps organizations make informed decisions about resource allocation and prioritization, ultimately contributing to better security operations.
Key components of a cybersecurity asset management solution include:
Asset Discovery and Inventory: Cybersecurity asset management solutions are designed to automatically discover and inventory all the assets within your organization's network. This includes computers, servers, routers, switches, mobile devices, and other IT assets. These solutions use methods such as network sensor-based data collection to identify and catalog assets as well as to map the dependencies between assets and between assets and critical business functions.
Critical Business Function Identification: Cybersecurity asset management solutions use AI and data science to identify critical business functions. These functions are the core activities that keep an organization running smoothly and generate revenue. Identifying and prioritizing critical business functions is crucial for building cyber resilience, allocating security and IT resources, and developing effective business continuity and disaster recovery plans.
Real-Time Monitoring: Cybersecurity asset management solutions provide real-time monitoring of assets on your network. Continuously monitoring and tracking assets allows your organization to detect changes or anomalies in its IT environment, aiding in the early identification of potential security incidents.
Incident Response: In the event of a cybersecurity incident, cybersecurity asset management provides a foundation for incident response teams to quickly identify affected assets and take appropriate action to contain and mitigate the incident.
Compliance and Audit: Effective cybersecurity asset management is essential to prove that security policies and compliance requirements are met. Maintaining an accurate inventory of assets is often required to comply with regulatory requirements and for audit purposes. Additionally, understanding the location of sensitive data and its interaction with various assets is essential for data protection and compliance with data privacy regulations.
Vulnerability Management: Vulnerability scanning tools identify and assess vulnerabilities present in your organization's environment. This includes software vulnerabilities, misconfigurations, and other weaknesses that could be exploited by attackers. Cybersecurity asset management allows security teams to focus on addressing the most critical issues first by prioritizing vulnerable assets. It does this by evaluating an asset’s connection to critical business functions and its dependencies with other assets.
Business Continuity and Disaster Recovery: Understanding the full scope of your organization's digital assets allows for effective risk assessment and is integral to developing robust continuity and recovery strategies, ensuring that essential assets are prioritized, protected, and efficiently restored in the event of a cybersecurity incident or disaster.
Risk Management: Accurate and constantly updated asset information, including known vulnerabilities and dependencies, enables your organization to assess potential risks associated with specific assets. You can prioritize security efforts, allocate resources effectively, and implement targeted measures to mitigate risks, enhancing your overall cybersecurity resilience.
Effective cybersecurity asset management enhances an organization's overall cybersecurity posture by providing a solid foundation for risk management, vulnerability management, and incident response. It helps organizations make informed decisions about resource allocation and prioritization, ultimately contributing to better security and more efficient IT operations.
NYDFS’ Recently Updated Requirements and How Cybersecurity Asset Management Addresses Them
Asset Management
Added in the 2023 revision of the NYDFS cybersecurity regulations is the requirement “to produce and maintain a complete, accurate and documented asset inventory of the covered entity’s information systems. The asset inventory shall be maintained in accordance with written policies and procedures.”
The core of cybersecurity asset management is to gain a comprehensive understanding of an organization's digital assets to improve security, reduce risks, and ensure efficient IT operations. Having a centralized understanding of your most important assets, whether internal or external, as well as a real-time understanding of what they depend on or what depends on them, is a critical foundation for accurate planning, as well as for maintaining your cybersecurity compliance.
Cybersecurity asset management solutions are designed to automatically discover and inventory all the assets within your organization's network. These solutions use network sensor-based data collection to identify and catalog assets. They also map the dependencies between assets as well as those between assets and critical business functions.
In addition to asset management, cybersecurity asset management solutions use AI and data science to identify critical business functions and their associated assets and dependencies. Identifying and prioritizing critical business functions allows you to enhance your asset inventory, making it an even more effective tool for building cyber resilience, allocating security and IT resources, and developing effective business continuity and disaster recovery plans.
Vulnerability Management
While vulnerability assessments were already required under the previous version of the NYDFS cybersecurity regulations, in 2023 the guidelines and requirements around vulnerability management were expanded. Most notably:
“These policies and procedures shall be designed to ensure that covered entities: (a) conduct, at a minimum: [...] (2) automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing and reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any material system changes[.]” (Emphasis added.)
It is important because, in order to comply with this section of the regulations, you will need to not only have a comprehensive inventory of all of the assets that exist in your environment but you will also need to know which assets your vulnerability management solution is and is not capable of scanning.
Cybersecurity asset management solutions use software sensors placed in your network to capture communications data and use it to create a map of your connected network infrastructure, including cloud, on-premises, and container-based assets. This gives you complete visibility into the true extent of your environment. You can then use this information to keep track of which assets are covered by your current vulnerability management solution and which you will need to perform a manual review on. It will allow you to plan and scope out the effort required to comply with the new regulations.
Having a comprehensive asset inventory also allows you to accurately evaluate different vulnerability management solutions and choose the one that best suits your specific needs, potentially minimizing the amount of manual effort required to comply with NYDFS requirements.
Another section of the vulnerability management requirements addresses the need to “(c) timely remediate vulnerabilities, giving priority to vulnerabilities based on the risk they pose to the covered entity.” (Emphasis added.)
Vulnerability management solutions commonly assign a risk score to each identified vulnerability based on factors such as its severity, potential impact, and likelihood of exploitation. This helps you prioritize which vulnerabilities need to be addressed more urgently. However, legacy vulnerability management solutions don’t take into account your critical business functions and which systems and assets are needed for the continued functioning of those critical functions.
Cybersecurity asset management complements vulnerability management solutions by providing additional visibility and context that allow security teams to focus on addressing the most critical issues first. It does this by prioritizing vulnerable assets based on their connection to critical business functions, their interdependencies with other assets, as well as their connection to third-party vendors and contractors.
Business Continuity & Disaster Recovery Plan
A new addition to the NYDFS cybersecurity regulations is the requirement that organizations have a business continuity and disaster recovery (BCDR) plan as part of their wider incident response plan.
“BCDR plans shall be reasonably designed to ensure the availability and functionality of the covered entity’s information systems and material services and protect the covered entity’s personnel, assets and nonpublic information in the event of a cybersecurity-related disruption to its normal business activities.” Additionally, “(d) Each covered entity shall periodically, but at a minimum annually, test its: (1) incident response and BCDR plans with all staff and management critical to the response, and shall revise the plan as necessary; and (2) ability to restore its critical data and information systems from backups.”
Organizations are highly dependent on their data and IT systems to function effectively, and the consequences of a disruption can be severe. Business continuity and disaster recovery (BCDR) planning is a specialized application of risk management that specifically addresses the risks related to disruptions, whether due to natural disasters, cyberattacks, or other incidents. Its goal is to ensure that organizations can continue to function in the face of unexpected disruptions.
BCDR planning is not easy, however. When BCDR plans fail it is often because the plan has not been dynamically updated to ensure that it aligns with evolving business processes. Changes in business operations, technology, or external factors can render an existing plan obsolete. If BCDR plans are not regularly updated and tested, organizations may only discover critical flaws or outdated information during an actual crisis, leading to ineffective response and recovery attempts.
Cybersecurity asset management significantly improves BCDR planning through several key mechanisms:
Reducing and Mitigating Risk
Cybersecurity asset management provides complete visibility into your entire IT environment. It continuously monitors and assesses all points where your organization's assets are exposed to potential cyber threats. Cybersecurity asset management also provides visibility into your third-party risks by identifying the third-party assets that are connected to your environment and which ones are connected to your critical business functions.
Enhancing Resilience
Cybersecurity asset management helps organizations build a more resilient infrastructure. By identifying critical business functions, the assets they depend on, dependencies between assets, and potential points of failure, cybersecurity teams can develop and implement strategies to ensure that key functions remain operational during and after a cyber incident, contributing to overall business continuity.
Optimizing Incident Response
In the event of an incident, cybersecurity asset management provides real-time visibility into your entire IT infrastructure, allowing your incident response team to quickly identify affected assets and assess the impact on critical business functions. This allows teams to prioritize incident response efforts, quickly and efficiently containing the incident and minimizing downtime.
Business Impact Analysis
Cybersecurity asset management helps your organization conduct a comprehensive business impact analysis by helping you identify your critical business functions and the associated assets that support those functions. This analysis informs disaster recovery plans, allowing your organization to prioritize resources and efforts based on asset criticality and their contribution to business continuity.
Proactive Planning
By continuously monitoring changes in the attack surface, including new assets and vulnerabilities, cybersecurity asset management enables your organization to proactively update and refine its BCDR plans. This proactive approach ensures that plans remain effective and aligned with the evolving threat landscape.
Overall, cybersecurity asset management contributes to business continuity and disaster recovery planning by reducing risks, enhancing resilience, optimizing incident response, conducting impact analysis, enabling proactive planning, and supporting regulatory compliance efforts.
Conclusion
The recent update to the NYDFS cybersecurity regulations underscores the evolving landscape of digital security. The amendments place a spotlight on crucial areas such as vulnerability management, asset inventory, and business continuity and disaster recovery planning. The emphasis on automated scans and comprehensive asset documentation reflects a growing need for proactive cybersecurity measures. The integration of real-time asset visibility and dynamic mapping into security practices is pivotal for effective risk mitigation. As organizations adapt to these changes, they must prioritize not only compliance but also the resilience and adaptability of their cybersecurity plans to safeguard against evolving cyber threats and disruptions.
About Redjack
Redjack delivers total asset and dependency visibility and AI-powered business insights for cyber resilience. The Redjack platform provides you with evidence-based, unbiased visibility into your organization's IT assets and connections that allows you to prioritize vulnerabilities, accurately evaluate risk, and build effective BCDR and cyber resilience plans.
For over five years Redjack has been successfully implemented in some of the world's largest corporations and government agencies, helping them achieve genuine cyber resilience.
