23 NYCRR 500: Cybersecurity Requirements For Financial Services Companies

23 NYCRR 500 is coming soon. As in, January 1, 2017. So, get ready.

Officially known as “Cybersecurity Requirements For Financial Services Companies”, 23 NYCRR 500 is a new set of security regulations being promulgated by the New York Department of Financial Services (DFS). DFS developed 23 NYCRR 500 out of concern that financial firms are facing increased cyber threats today. The regulations, which offer “regulatory minimum standards,” are intended to foster the creation of effective cybersecurity programs in the financial sector.

The goal is to protect customer information by securing the IT assets of regulated entities. Each financial firm must assess its risk profile and design a program that mitigates the most serious risks. 23 NYCRR 500 stays away from prescriptive advice. It’s not a cookbook. Rather, it provides guidelines for senior management.

The new rules affect virtually every aspect of security at financial firms: NYCRR 500 covers the creation (or updating) of a firm’s cybersecurity program. They offer guidance on establishing cybersecurity policy and clarify the role of the CISO. Sub-sections of the rules discuss steps financial firms should take regarding penetration testing and vulnerability assessments, audit trails, access privileges, application security and much more.

At the root of all this is one of the basic issues faced in any serious security program, namely “Who is allowed to do what?” And, by extension, how can the organization know who did what, when and where? This is the domain of privileged access management (PAM), which is the work of controlling the people with administrative access to critical systems. A PAM solution consists of software that provides a secure, streamlined way to authorize and monitor all privileged users for all relevant systems.

Managing Access Privileges for 23 NYCRR 500

PAM is specifically called out in 23 NYCRR 500. Section 500.07 of the rules, “Access Privileges,” describes how an entity needs to, “limit access privileges to Information Systems that provide access to Nonpublic information solely to those individuals who require access to such systems in order to perform their responsibilities and shall periodically review such access privileges.”

A privileged user affected by Section 500.07 might be an admin who can set up, modify or delete the systemic rights of firm employees who manage other peoples’ money.

A PAM solution enables a regulated financial firm to comply with Section 500.07 in the following ways:

• Grant privileges to users only for systems on which they are authorized, i.e. “…limit access privileges to Information Systems that provide access to Nonpublic Information solely to those individuals who require access to such systems...”
• Grant access only when it’s needed and revoke access when the need expires, i.e. “[users] who require access to such systems in order to perform their responsibilities…”
• Create an unalterable audit trail for any privileged operation, i.e. “…periodically review such access privileges.”

PAM and the Broader Set of 23 NYCRR 500 Rules

• Management of privileged users is also referenced in other sub-sections of the new rules. These include: 500.02 (b)(2), which covers the implementation of policies and procedures to protect information systems from, “unauthorized access, use or other malicious acts.”
• Section 500.03, Cybersecurity Policy, directs financial firms to establish policies that address “access controls and identity management.”
• Section 500.06, covers the audit trail and includes a direction to, “track and maintain data logging of all privileged Authorized user access to critical systems.”

All of these requirements are best met through the use of an advanced PAM solution.

How PAM Solutions Work

Privileged Access Management solutions centrally and quickly manage access over a disparate set of heterogeneous systems. They vary in design, but most include the following components working together:

• Access Manager – Governs access to privileged accounts as a single point of policy definition and enforcement. Privileged users request access to a financial system through the Access Manager. The Access Manager knows which systems the user can access and at what level of privilege. A super admin can add/modify/delete privileged user accounts on the Access Manager. This approach reduces the risk that a former employee will retain access to a critical system. (This situation has occurred in several notable financial industry data breaches and control failures.)

• Password Vault – Prevents privileged users from knowing the actual passwords to critical systems. This prevents a manual override on a physical device, for example. Instead, the PAM system keeps these password in a secure vault and opens access to a system for the privileged user once he has cleared the Access Manager. (Again, several major control failures in banking can be traced to this kind of password override.)

• Session Manager – Access control is not enough. Financial firm admins and auditors need to know what a privileged user actually did during an administrative session. A Session Manager tracks actions taken during a privileged account session. Advanced session managers like WALLIX’s not only keep a unimpeachable audit trail of what privileged users do, but they can control their actions and automatically prevent unauthorized usage and/or send alerts to security personnel if certain forbidden actions are attempted.

WALLIX for Privileged Access Management in in the Financial Sector

WALLIX’s bastion solution WALLIX ADMINBASTION (WAB) Suite establishes the kind of pervasive, sustainable PAM called for in the 23 NYCRR 500 rules. WAB Suite has a single gateway with single sign-on for access by system admins. Through this capability, the financial firm’s IT department can define and enforce access policies for admins as well as for the employees who need system access. This bastion is able to span cloud and on-premises system deployments.

WAB Suite’s agent-less architecture is well-suited to the highly varied infrastructure scenarios found in the financial industry. Other PAM solutions require a software agent installed on each target system. This is effectively a non-starter when systems are spread out across multiple platforms in cloud and on-premises combinations. When agents are required, PAM will likely be abandoned or neglected to the point where it won’t perform its basic functions. WAB Suite helps ensure that you won’t fall into this trap.

Get in touch if you’d like a demonstration of WALLIX’s PAM solution or just more information about how PAM can help your firm meet the upcoming requirements of 23 NYCRR 500.