23NYCRR 500, Securing Privileged Access to Information Systems

Published on 30 May 2017

In our previous blog post, we touched on the definition of nonpublic information in the NY DFS Part 500 regulation. In short, nonpublic information includes all vital business information that contains customer related personally Identifiable Information.  

Information systems

23 NYCRR 500 puts great emphasis on securing information systems that store nonpublic information. All electronic devices within a covered organization’s perimeter such as switches, routers, applications, databases and servers can be considered information systems.

Privileged accounts

Due to the sensitive nature of nonpublic information, only selected groups within organizations are allowed to access information systems. Users access information systems through the following privileged accounts:

  • Shared Administrative Accounts: Administrator account on MS Windows, the root user on UNIX/Linux, or the SYS account on Oracle. These accounts hold “superuser” privileges and are often shared among IT staff such as system administrators or network admins.
  • Privileged Personal Accounts: Used by business users and IT personnel. These accounts have a high level of privilege and their misuse can significantly affect the organization’s business continuity. Users accessing these accounts usually are business or IT managers.
  • Emergency Accounts: Also known as “break-glass accounts” these are special accounts used when elevated privileges are required to fix urgent problems including business continuity or disaster recovery. Access to these accounts frequently requires managerial approval.

Even though access privileges to information systems are restricted to a small portion of the organization, due to their high level of privileges it is a highly pressing matter to possess the ability to supervise their activities and to generate reliable evidence for reasons such as, information security, forensics and demonstrating compliance.

How to manage privileged accounts according to 23 NYCRR 500?

23 NYCRR 500 allocates five sections describing what security requirements must covered entities comply with to ensure information system’s integrity against privileged account misuses and to mitigate the probability of unauthorized access. Here is s short description on them:

  • Section 500.06 Audit Trail: Track and maintain all authorized user access to information systems
  • Section 500.07 Access Privileges: Limit access privileges to information systems
  • Section 500.11 Third Party Information Security: Supervise third party access to information systems
  • Section 500.12 Multi-Factor Authentication: Perform multi-factor and risk-based authentication on authorized users accessing information systems.
  • Section 500.14 Monitoring: Monitor and supervise the activities of authorized users


How these requirements translate to security functions?

The best way to describe the previously mentioned security requirements is to translate them into security functions achievable by Privileged Access Management technologies:

  • Multi-factor and strong authentication: Enforcing strong authentication upon access or redirecting connections to a multi-factor authentication tool. This allows for a more robust authentication procedure.
  • Access control: Establishing a transparent single point of entry between the clients and information systems, that mitigates the probability of security bypasses and unauthorized access.
  • Real-time monitoring: Monitoring the upstream and the downstream of a remote connection and establishing rule sets to prevent malicious commands from being executed. This enables organizations to constantly supervise authorized user activities.
  • Session recording and audit trails: Generate reliable movie-like audit trails regarding authorized user sessions that capture the metadata of the connection. Providing a more reliable source of evidence for forensics.
  • Risk-based authentication: Use digital biometric identifiers as inherence factors to detect anomalies and changes in the normal authorized use patterns. This guarantees a continuous authentication procedure to prevent identity theft.

To learn more on how to comply with 23 NYCRR 500 using Balabit technologies, download our white paper here.

To learn more on Risk-based authentication check out our blog post here.


by István Molnár

István is the Compliance expert at Balabit. With extended knowledge and understanding of international standards, regulations, and frameworks. He acts as an adviser in compliance-related sales projects and as a content specialist in the Product Marketing team.

share this article
Mitigate against privileged account risks
Get in touch

Recent Resources

The top IT Security trends to watch out for in 2018

With 2017 now done and dusted, it’s time to think ...

The key takeaways from 2017’s biggest breaches

Like many years before it, 2017 has seen a large ...

Why is IT Security winning battles, but losing the war…?

When a child goes near something hot, a parent will ...

“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”

– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser