As data privacy and security concerns becoming more prevalent, governmental bodies are reacting by issuing regulations focusing on personal data security. One of the latest is 23 NYCRR 500, issued by the New York Department of Financial Services.
It specifies a list of security requirements to safeguard all business data with personally identifiable information (PII) that can be used to distinguish or trace an individual’s identity. Part 500 uses a specific term for this, calling it nonpublic information.
What is nonpublic information?
The definition of nonpublic information greatly expands on what is currently considered as personal data. Apart from the usual (Name, Address, Phone number, etc.), it also includes anything that can remotely be tied to an individual (such as User ID, IP and MAC addresses, etc.).
On the surface, this may seem like a minor change but organizations may have a hard time guaranteeing that all forms of nonpublic information get the same level of security. Remapping an entire infrastructure and redefining corporate policies and procedures may take significant time and resources.
Focus on privileged authorized users
But looking at this from a different perspective, may lead to an easier way to comply with the regulation’s requirements. Instead of focusing on the data first, it is better to start by looking at users with authorized access to nonpublic information.
Users with the ability to access and alter nonpublic information are referred to as privileged authorized users in Part 500. Ranging from administrators to any high profile user with the ability to access and operate business critical assets.
Privileged authorized users can be a significant threat to the deletion or theft of nonpublic information. These users’ activity, either intentionally malicious or unintentionally negligent, can lead to severe consequences.
Manage privileged users
To manage privileged authorized users, organizations often deploy Privileged Access Management (PAM) technologies that can:
- Limit access to information systems, preventing any bypass of security checks.
- Enforce strong authentication or direct all connections to a multi-factor authentication tool.
- Supervise privileged authorized user activity by establishing rule sets to identify all command input and prevent any harmful commands from being executed.
- Generate tamper-proof audit trails of authorized user sessions which capture the metadata of a connection and user activity including commands entered.
These functions combine to enable organizations to both to set up a secure environment where nonpublic information handling is constantly supervised and at the same time to comply with 23 NYCRR 500.