17 Elk Street - Suite 3 - Albany, New York 12207
518.915.1661 – www.naifanys.org –
MODEL POLICY TO HELP COMPLY WITH NYS DEPT. OF FINANCIAL SERVICES
CYBERSECURITY REGULATION (23 NYCRR Part 500)
I. Information Security
Purpose: This policy establishes the high-level Information Security Policy for ensuring the protection of information and information systems used to support ______[insert company name] (“our company”).
Scope: This policy applies to all information technology resources owned or operated by our company. Any information that is transmitted or stored on our IT system (including email, messages, and files) is the property of our company, unless documented in writing. All users (employees, contractors, vendors or others) of our IT resources are responsible for adhering to this policy.
Policy: This Information Security Policy serves to be consistent with industry best practices as articulated by the National Institute of Standards and Technology (NIST).
II. Asset Inventory and Device Management
We will continuously maintain a proper inventory of all of the information in our information system. This policy establishes the criteria for complying with regulations regarding the security of data as it resides on our network, desktops, and all devices of our company. This policy also establishes requirements to ensure that all systems are inventoried for security control purposes and to assist with other requirements of the organization.
Each business unit will be responsible for inventory of all information assets and devices. The following requirements must be followed by all business units:
• Continually assess and maintain an inventory of all information assets
• Classify all information and data assets in terms of sensitivity and the potential impact on the organization if the asset becomes unavailable or compromised
• Classify each asset at the highest level of any data located on it or traversing through it
• Use classifications for security control decisions, including access control and authorization, risk assessment, and application development (see the respective sections, below)
• Specify procedures for accessing, processing, maintaining, storing, protecting, and/or destroying information/data. When required, this will be followed in compliance with the Data Governance and Classification Policy (see below).
III. Data Governance and Classification
This policy establishes the requirements that our company will use to build protocols to manage all information on our system.
All data governance and classification actions must be initiated by a Senior Executive who will make a written directive requiring that information assets are classified and maintained in accordance with a specific protocol. It is the requirement of the business unit, upon receipt of the written directive, to classify and identify the specific protocol with which the data will be governed.
Data Life Cycle Management: Data has a life cycle of its own and is created, maintained, and destroyed. Data may be retained based on the type of information that it represents. Information that has been classified is required to meet the data retention periods as directed by the business requirements, or in compliance with federal and state laws and regulations. Data destruction will similarly be conducted in compliance with the above, and in accordance with NIST Special Publication (SP) 800-88 “Guidelines for Media Sanitization”, whenever possible.
Data Security and Privacy: Data security and privacy are the controls required to protect types of information and ensure that they are viewed under the principle of “Least Privilege”. Data security and privacy is required when specific types of data are in need of protection as directed by the business requirements, or in compliance with federal and state laws and regulations.
Metadata Management: Data creates “Metadata” that helps identify and define the data connected to it, whether or not that data is accessible on its own. The metadata will be reviewed to ensure that it is handled according to the business requirements, or in compliance with federal and state laws and regulations.
Regulatory Compliance: Data that falls under existing data governance requirements (federal, state, or other laws and regulations) will be handled in compliance with those requirements.
Classification Definitions: Our company has selected the following terms to help define data or metadata:
· Confidential: Any data that is protected by federal, state, or other regulation and that if released inappropriately would have adverse harm on our company affiliates, customers, or any other party
· Restricted: Data not protected under law or regulation, but that would have an adverse harm on our company, its affiliates, customers, or any other party if it were released. This definition might also extend, at the direction of a Senior Executive, to information that is still being evaluated for classification.
· Public: Information that, at the discretion of the business unit or direction of a Senior Executive, can be shared publicly.
It is the responsibility of all business units to ensure that all employees, vendors, third parties, and others fully understand how our company’s data is classified and how that impacts the way it is handled.
IV. Access Controls and Identity Management
This policy establishes the Access Control Policy, for managing risks within account management. The Access Control Policy provides guidance for both technical and organizational controls related to account management.
Our company has chosen to adopt the access control principles established in NIST SP 800-53 “Access Control,” Control Family guidelines as the official policy for this domain. The following subsections outline the access control standards that constitute our policy. Where the below policy does not cover a specific topic related to the purpose listed above, the NIST SP 800-53 “Access Control” will be consulted.
· Access Control Procedures: All business units must develop, adopt or adhere to a formal, documented access control procedure.
· Account Management: All business units must:
o Identify account types (i.e., individual, group, system, application, guest/anonymous, and temporary)
o Establish definitions and requirements for each type of account
o Identify authorized users of specific information assets
o Require appropriate written approvals for requests to establish accounts
o Establish, activate, modify, disable, and remove accounts
o Specifically authorize and monitor the use of guest and temporary accounts
o Deactivate temporary accounts when they are no longer required
o Ensure that the accounts of terminated or transferred users occur in a timely fashion
o Review accounts on a periodic basis
o Separation of Duties
§ All business units must implement the separation of duties where possible and as necessary. This should be documented and in accordance with other policies (such as Data Governance and/or other policies).
o Privilege
§ All business units must employ the concept of least privilege where information is only shared as needed to fulfill a task.
o Remote access must be documented and monitored.
o Publicly Accessible Content
§ All business units must:
· Designate individuals authorized to post information onto systems that are publicly accessible and that the business unit has a business need to post information on
· Review the content on publicly accessible systems that the business unit has a business need to post to for nonpublic information
· Remove nonpublic information from publicly accessible systems that the business unit has a business need to post to, if discovered
V. Business Continuity and Disaster Recovery Planning and Resources
This policy establishes the Enterprise Contingency Planning Policy for managing risks from information asset disruptions, failures, and disasters through the establishment of an effective contingency planning program. The contingency planning program helps implement security best practices with regard to business continuity and disaster recovery.
Our company has chosen to adopt the Contingency Planning principles established in NIST SP 800-34 “Contingency Planning Guide for Federal Information Systems” as the official policy for this domain. The following subsections outline the Contingency Planning standards that constitute our policy. Where the below policy does not cover a specific topic related to the purpose above, NIST SP 800-34 will be consulted.
Contingency Plan: All business units must develop a contingency plan for company information assets that:
· Identifies essential missions and business functions and associated contingency requirements
· Provides recovery objectives, restoration priorities, and metrics
· Addresses contingency roles, responsibilities, and assigned individuals with contact information
· Addresses maintaining essential missions and business functions despite an information asset disruption, compromise, or failure
· Addresses full information asset restoration without deterioration of the security measures originally in place
· Is reviewed and approved by designated officials within the organization
· Coordinates contingency planning activities with incident handling activities
· Reviews the contingency plan on an annual basis and makes changes as required
Contingency Training: All business units must train personnel in their contingency roles and responsibilities with respect to the information assets and provide refresher training on an annual basis.
Contingency Plan Testing and Exercises: All business units must test and/or exercise the contingency plan for information assets annually to determine the plan’s effectiveness and the organization’s readiness to execute the plan.
Alternate Storage Site: All business units must establish an alternate storage site including necessary agreements to permit the storage and recovery of information asset backup information. Additionally, an alternate processing site, including necessary agreements to permit the resumption of information asset operations for essential missions and business functions within defined recovery times, must be established.
VI. Systems Operations and Availability Concerns
This policy establishes the Enterprise System and Information Integrity Policy for managing risks from system flaws/vulnerabilities. The System and Information Integrity program helps implement security best practices with regard to system configuration, security, and error handling.
Our company has chosen to adopt the System and Information Integrity principles established in NIST SP 800-53 “System and Information Integrity” Control Family guidelines as the official policy for this domain. Where the below policy does not cover a specific topic related to the purpose above, NIST SP 800-53 “System and Information Integrity” will be consulted.
System and Information Integrity Procedures: All business units must develop, adopt, or adhere to a formal, documented system and information integrity procedures.
Flaw Remediation and Updates: All business units must identify, report, and correct information system flaws. When implementing updates, all business units must test software updates related to flaw remediation for effectiveness and potential side effects on organizational information assets before installation.
Software and Information Integrity: All business units must detect unauthorized changes to software within their information asset in a timely fashion.
Security Functionality Verification: All business units must verify the correct operation of security functions on an annual basis and identify when anomalies are discovered to ensure timely corrective action.
General guidance: In general, the business units should consider the following input and error handling:
· Information Input Restrictions: All applications must allow only authorized personnel to input data into the information asset.
· Information Input Validation: All applications must check the validity of information inputs for company information assets.
· Error Handling: All applications must handle errors by:
o Identifying potential security-relevant error conditions (stack overflow, etc.)
o Generate error messages that provide information necessary for corrective actions without revealing company-sensitive information in error logs and administrative messages that could be exploited by adversaries
o Reveal error messages only to authorized personnel
VII. Systems and Network Security
The policy’s goal is to minimize the potential for unauthorized access to the network, loss of sensitive or confidential information, and/or damage to our systems and information assets.
The following requirements provide a policy for securing the network:
· A baseline network configuration shall be created for the network and will be maintained by the business unit.
· Changes to any network device’s hardware, software, or operating environment, such as patches, shall be tested, applied and documented in accordance with best practice change management protocols.
· Any wireless device or wireless computer system connected to the network shall be configured to protect the information transmitted according to the classification of the data traversing it, with security controls instituted at the highest level relative to any of the data that traverses it.
· Any wireless device or wireless computer system connected to the network shall be configured so that it does not reveal information about the device or system, or about the network architecture, except to identify the SSID or network by name.
· All servers in the networks shall be assessed for hardening requirements and configured appropriately.
· All connections of our network to external networks must be, at a minimum, behind a firewall. Demilitarized Zone (DMZ) networks require firewalls to protect their hosts from direct outside attacks, and their connections to other internal networks must also have firewall protection.
· Administrative access from a public or uncontrolled network to our network shall not be permitted unless such access has been approved by a Senior Executive in writing.
· All access control devices shall be limited to the least access necessary in order to meet the business requirements of the service, whenever technically possible.
· Network monitors and audit controls should be used, especially in known risk areas, to check the network and traffic for unexpected (i.e. suspicious) content or behavior and other anomalies.
· Malware (viruses, worms, etc.) protection tools (firewall, Intrusion Detection System, etc.) shall be employed at network entry and exit points and at workstations, servers, or mobile computing devices (e.g., email, removable media, and malicious websites) to detect and eradicate malware.
· Malware protection tools will be updated whenever new releases are available in accordance with System Operations and Availability Policy.
VIII. Systems and Network Monitoring
The purpose of the System and Network Monitoring Policy is to inform all users of the network of the monitoring that occurs and of how the data derived from that monitoring is handled.
In order to protect information assets and data, our company utilizes tools that log activity on the network. Information assets often create logs, which are records of activity. These assets may include anti-virus software, firewalls, intrusion detection systems, vulnerability management systems, and database and application monitoring systems. Other network traffic may be logged as necessary for troubleshooting and resolution of network issues. This information may be centrally correlated for analysis.