In our previous blog post, we touched on the definition of nonpublic information in the NY DFS Part 500 regulation. In short, nonpublic information includes all vital business information that contains customer related personally Identifiable Information.
23 NYCRR 500 puts great emphasis on securing information systems that store nonpublic information. All electronic devices within a covered organization’s perimeter such as switches, routers, applications, databases and servers can be considered information systems.
Due to the sensitive nature of nonpublic information, only selected groups within organizations are allowed to access information systems. Users access information systems through the following privileged accounts:
Even though access privileges to information systems are restricted to a small portion of the organization, due to their high level of privileges it is a highly pressing matter to possess the ability to supervise their activities and to generate reliable evidence for reasons such as, information security, forensics and demonstrating compliance.
23 NYCRR 500 allocates five sections describing what security requirements must covered entities comply with to ensure information system’s integrity against privileged account misuses and to mitigate the probability of unauthorized access. Here is s short description on them:
The best way to describe the previously mentioned security requirements is to translate them into security functions achievable by Privileged Access Management technologies:
To learn more on how to comply with 23 NYCRR 500 using Balabit technologies, download our white paper here.
To learn more on Risk-based authentication check out our blog post here.
With 2017 now done and dusted, it’s time to think ...
Like many years before it, 2017 has seen a large ...
When a child goes near something hot, a parent will ...
“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”
– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser