In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.
In complying with the New York State Department of Financial Services (DFS) cybersecurity regulation, financial institutions have a choice. They can either employ “continuous monitoring” or, instead, conduct annual “penetration testing” and bi-annual “vulnerability assessments.”
Only “penetration testing” is defined in the regulation. Subsection 500.1(h) provides that penetration testing means “a test methodology in which assessors attempt to circumvent or defeat features of an Information System by attempting penetration of databases or controls from outside or inside the Covered Entity’s Information Systems.” Although not explicitly defined, the regulation explains that a vulnerability assessment must at least include “systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities.”
The definition of continuous monitoring, in contrast, did not receive much attention in the regulation. In its “Frequently Asked Questions,” the DFS only states: Continuous monitoring can be obtained through a “variety of technical and procedural tools,” and there is “no specific technology that required to be used.” Monitoring must also have “the ability, on an ongoing basis, to detect changes” that may “create or indicate the existence of cybersecurity vulnerabilities or malicious activities.”
There is, however, guidance from other sources. The National Institute of Standards and Technology (NIST) treats “information security continuous monitoring” as a “comprehensive strategy” that encompasses “technology, processes, procedures, operating environments, and people.” And NIST recognizes that recognizes the “continuous” does not necessarily mean without interruption: “the terms ‘continuous’ and ‘ongoing’ in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information.”
With that definition mind, companies will need to weigh the costs and benefits of continuous monitoring including the fact that, with such monitoring of assets, companies can usually recognize rogue devices, misconfigurations, and patching failures without needing multiple, costly security controls.
But there are, of course, costs. For example, with large companies, continuous monitoring will likely require centralized data collection and processing—a far from simple task. Moreover, if companies follow the NIST approach, they will need to formulate meaningful methods for risk scoring. And, of course, companies will have to invest in the software and technology needed to monitor continuously network traffic information.
To be sure, there is no one-size-fits-all answer for every covered entity. But financial institutions will need to determine by March 2018 which approach—vulnerability assessments and penetration tests or continuous monitoring—to take.