NYDFS

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the New York State Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered entities. The version used in this section is NYDFS, February 2017.

Control-Requirement Mapping

Definition	Requirements
500_2. Cybersecurity program	161. Define secure default options 266. Disable insecure functionalities 273. Define a fixed security suite 062. Define standard configurations 079. Record exact occurrence time of events
500_3. Cybersecurity policy	331. Guarantee legal compliance
500_5. Penetration testing and vulnerability assessments	376. Register severity level 377. Store logs based on valid regulation
500_6. Audit trail	322. Avoid excessive logging 376. Register severity level 377. Store logs based on valid regulation 084. Allow transaction history queries
500_7. Access privileges	378. Use of log management system
500_10. Cybersecurity personnel and intelligence	142. Change system default credentials 155. Application free of malicious code 314. Provide processing confirmation 315. Provide processed data information 316. Allow rectification requests 318. Notify third parties of changes 378. Use of log management system 025. Manage concurrent sessions
500_11. Third party service provider security policy	262. Verify third-party components 302. Declare dependencies explicitly
500_12. Multi-factor authentication	229. Request access credentials 231. Implement a biometric verification component 264. Request authentication 319. Make authentication options equally secure 362. Assign MFA mechanisms to a single account
500_13. Limitations on data retention	183. Delete sensitive data securely 317. Allow erasure requests
500_14. Training and monitoring	075. Record exceptional events in logs 079. Record exact occurrence time of events 085. Allow session history queries
500_15. Encryption of nonpublic information	147. Use pre-existent mechanisms 213. Allow geographic location 224. Use secure cryptographic mechanisms 252. Configure key encryption 273. Define a fixed security suite 338. Implement perfect forward secrecy
500_16. Incident response plan	363. Synchronize system clocks 378. Use of log management system 051. Store source code in a repository

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.