With the upcoming regulation issued by New York Department of Financial Services, organizations under its jurisdiction will be required to harden security when it comes to protecting nonpublic information.
Since all covered entities will need to translate the requirements into practice in their logging infrastructure this article is meant to be a guideline on how to do so.
We will focus on three main sections in Part 500 that are essential in terms of log handling: 500.06 Audit Trails, 500.13 Limitations on Data Retention and 500.15 Encryption of Nonpublic Information.
500.06 Audit Trails
The overall requirement of this section is to implement and maintain an audit trail system that allows to capture and record all events in the form of log messages.
Within this section the regulation describes three scenarios:
Managing logs generated when provided services to individuals
Part 500 requires covered entities to track and maintain all logs that allows for the complete and accurate reconstruction of financial transactions and accounting.
The reason behind it is to provide covered entities the ability to respond to cybersecurity events revolving around financial records and potentially prevent data manipulation or theft.
Managing logs that provide oversight of nonpublic information management and processing
In terms of security logs, the main purpose is to obtain solid evidence on internal events focused on day to day operations. Such as:
– Privileged authorized user access to critical systems
– Identifying changes made to any hardware
– Identify alteration of tampering of nonpublic information stored on premise of the covered entity.
Guaranteeing integrity and reliability of log data
Capturing all access and alterations made to the audit trail system in order to guarantee reliability.
The section also adds a disclaimer that in order to comply with Part 500 all logs must be retained for at least six years.
500.13 Limitations on Data Retention
Covered entities must possess the ability to erase any logs with nonpublic information content that no longer serves any purpose. This may either come into effect once the six years of retention time exceeds or the covered entity is required by law to erase certain data.
500.15 Encryption of Nonpublic Information
Covered entities are required to ensure data security by encrypting all logs containing nonpublic information content while in transit and at rest.
The way to comply:
The enlisted requirements are common use cases that can be easily accomplished with a log management infrastructure, which is able to centrally manage log collection, forwarding and log storage while making sure that logs are secured.
Here is a short summary of a log management solution’s capabilities:
– Encryption of the communication channels which are used to transfer log messages.
– Applying anonymization of nonpublic information stored within the log files making sure that only authorized personnel can view the entire log message.
– Making sure that none of the logs get lost during transfer by setting up local backups and by bypassing systems that are malfunctioning with alternate transfer routing.
– While stored tamper proofing and encryption is applied to the log messages.
To learn more on how Balabit helps covered entities comply with 23 NYCRR 500 using syslog-ng visit our webpage detailing the essentials of log management here.