23 NYCRR 500, Privileged Access Management the key to compliance

Published on 21 April 2017

As data privacy and security concerns becoming more prevalent, governmental bodies are reacting by issuing regulations focusing on personal data security. One of the latest is 23 NYCRR 500, issued by the New York Department of Financial Services.

It specifies a list of security requirements to safeguard all business data with personally identifiable information (PII) that can be used to distinguish or trace an individual’s identity. Part 500 uses a specific term for this, calling it nonpublic information.


What is nonpublic information?

The definition of nonpublic information greatly expands on what is currently considered as personal data. Apart from the usual (Name, Address, Phone number, etc.), it also includes anything that  can remotely be tied to an individual (such as User ID, IP and MAC addresses, etc.).

On the surface, this may seem like a minor change but organizations may have a hard time guaranteeing that all forms of nonpublic information get the same level of security. Remapping an entire infrastructure and redefining corporate policies and procedures may take significant time and resources.


Focus on privileged authorized users

But looking at this from a different perspective, may lead to an easier way to comply with the regulation’s requirements. Instead of focusing on the data first, it is better to start by looking at users with authorized access to nonpublic information.

Users with the ability to access and alter nonpublic information are referred to as privileged authorized users in Part 500. Ranging from administrators to any high profile user with the ability to access and operate business critical assets.

Privileged authorized users can be a significant threat to the deletion or theft of nonpublic information. These users’ activity, either intentionally malicious or unintentionally negligent, can lead to severe consequences. 


Manage privileged users

To manage privileged authorized users, organizations often deploy Privileged Access Management (PAM) technologies that can:

  • Limit access to information systems, preventing any bypass of security checks.
  • Enforce strong authentication or direct all connections to a multi-factor authentication tool.
  • Supervise privileged authorized user activity by establishing rule sets to identify all command input and prevent any harmful commands from being executed.
  • Generate tamper-proof audit trails of authorized user sessions which capture the metadata of a connection and user activity including commands entered. 

These functions combine to enable organizations to both to set up a secure environment where nonpublic information handling is constantly supervised and at the same time to comply with 23 NYCRR 500.

To learn more on how Balabit can help with Privileged Access Management and comply with 23 NYCRR 500 download our white paper here.

by István Molnár

István is the Compliance expert at Balabit. With extended knowledge and understanding of international standards, regulations, and frameworks. He acts as an adviser in compliance-related sales projects and as a content specialist in the Product Marketing team.

share this article
Mitigate against privileged account risks
Get in touch

Recent Resources

The top IT Security trends to watch out for in 2018

With 2017 now done and dusted, it’s time to think ...

The key takeaways from 2017’s biggest breaches

Like many years before it, 2017 has seen a large ...

Why is IT Security winning battles, but losing the war…?

This is a guest post by Adrian Asher, CISO at London ...

“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”

– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser