23 NYCRR 500, how it translates to log management

Published on 05 July 2017

With the upcoming regulation issued by New York Department of Financial Services, organizations under its jurisdiction will be required to harden security when it comes to protecting nonpublic information.

Since all covered entities will need to  translate the requirements into practice in their logging infrastructure this article is meant to be a guideline on how to do so.

We will focus on three main sections in Part 500 that are essential in terms of log handling: 500.06 Audit Trails, 500.13 Limitations on Data Retention and 500.15 Encryption of Nonpublic Information.


500.06 Audit Trails

The overall requirement of this section is to implement and maintain an audit trail system that allows to capture and record all events in the form of log messages.

Within this section the regulation describes three scenarios:

  1. Managing logs generated when provided services to individuals

Part 500 requires covered entities to track and maintain all logs that allows for the complete and accurate reconstruction of financial transactions and accounting.

The reason behind it is to provide covered entities the ability to respond to cybersecurity events revolving around financial records and potentially prevent data manipulation or theft.

  1. Managing logs that provide oversight of nonpublic information management and processing

In terms of security logs, the main purpose is to obtain solid evidence on internal events focused on day to day operations. Such as:

  • Privileged authorized user access to critical systems
  • Identifying changes made to any hardware
  • Identify alteration of tampering of nonpublic information stored on premise of the covered entity.


  1. Guaranteeing  integrity and reliability of log data

Capturing all access and alterations made to the audit trail system in order to guarantee reliability.

The section also adds a disclaimer that in order to comply with Part 500 all logs must be retained for at least six years.


500.13 Limitations on Data Retention

Covered entities must possess the ability to erase any logs with nonpublic information content that no longer serves any purpose. This may either come into effect once the six years of retention time exceeds or the covered entity is required by law to erase certain data.


500.15 Encryption of Nonpublic Information

Covered entities are required to ensure data security by encrypting all logs containing nonpublic information content while in transit and at rest.


The way to comply:

The enlisted requirements are common use cases that can be easily accomplished with a log management infrastructure, which is able to centrally manage log collection, forwarding and log storage while making sure that logs are secured.

Here is a short summary of a log management solution’s capabilities:

  • Encryption of the communication channels which are used to transfer log messages.
  • Applying anonymization of nonpublic information stored within the log files making sure that only authorized personnel can view the entire log message.
  • Making sure that none of the logs get lost during transfer by setting up local backups and by bypassing systems that are malfunctioning with alternate transfer routing.
  • While stored tamper proofing and encryption is applied to the log messages.


To learn more on how Balabit helps covered entities comply with 23 NYCRR 500 using syslog-ng visit our webpage detailing the essentials of log management here.

by István Molnár

István is the Compliance expert at Balabit. With extended knowledge and understanding of international standards, regulations, and frameworks. He acts as an adviser in compliance-related sales projects and as a content specialist in the Product Marketing team.

share this article
Mitigate against privileged account risks
Get in touch

Recent Resources

The top IT Security trends to watch out for in 2018

With 2017 now done and dusted, it’s time to think ...

The key takeaways from 2017’s biggest breaches

Like many years before it, 2017 has seen a large ...

Why is IT Security winning battles, but losing the war…?

When a child goes near something hot, a parent will ...

“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”

– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser