As data privacy and security concerns becoming more prevalent, governmental bodies are reacting by issuing regulations focusing on personal data security. One of the latest is 23 NYCRR 500, issued by the New York Department of Financial Services.
It specifies a list of security requirements to safeguard all business data with personally identifiable information (PII) that can be used to distinguish or trace an individual’s identity. Part 500 uses a specific term for this, calling it nonpublic information.
The definition of nonpublic information greatly expands on what is currently considered as personal data. Apart from the usual (Name, Address, Phone number, etc.), it also includes anything that can remotely be tied to an individual (such as User ID, IP and MAC addresses, etc.).
On the surface, this may seem like a minor change but organizations may have a hard time guaranteeing that all forms of nonpublic information get the same level of security. Remapping an entire infrastructure and redefining corporate policies and procedures may take significant time and resources.
But looking at this from a different perspective, may lead to an easier way to comply with the regulation’s requirements. Instead of focusing on the data first, it is better to start by looking at users with authorized access to nonpublic information.
Users with the ability to access and alter nonpublic information are referred to as privileged authorized users in Part 500. Ranging from administrators to any high profile user with the ability to access and operate business critical assets.
Privileged authorized users can be a significant threat to the deletion or theft of nonpublic information. These users’ activity, either intentionally malicious or unintentionally negligent, can lead to severe consequences.
To manage privileged authorized users, organizations often deploy Privileged Access Management (PAM) technologies that can:
These functions combine to enable organizations to both to set up a secure environment where nonpublic information handling is constantly supervised and at the same time to comply with 23 NYCRR 500.
With 2017 now done and dusted, it’s time to think ...
Like many years before it, 2017 has seen a large ...
This is a guest post by Adrian Asher, CISO at London ...
“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”
– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser