New York Codes, Rules and Regulations
Title 23 - FINANCIAL SERVICES
Chapter I - Regulations of the Superintendent of Financial Services
Part 500 - CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
Section 500.7 - Access privileges and management
Universal Citation: 23 NY Comp Codes Rules and Regs ยง 500.7
Current through Register Vol. 46, No. 12, March 20, 2024
(a) As part of its cybersecurity program, based on the covered entity's risk assessment each covered entity shall :
(1)
limit user access privileges to information systems that provide access to
nonpublic information to only those necessary to perform the user's
job;
(2) limit the number of
privileged accounts and limit the access functions of privileged accounts to
only those necessary to perform the user's job;
(3) limit the use of privileged accounts to
only when performing functions requiring the use of such access;
(4) periodically, but at a minimum annually,
review all user access privileges and remove or disable accounts and access
that are no longer necessary;
(5)
disable or securely configure all protocols that permit remote control of
devices; and
(6) promptly terminate
access following departures.
(b) To the extent passwords are employed as a method of authentication, the covered entity shall implement a written password policy that meets industry standards.
(c) Each class A company shall monitor privileged access activity and shall implement:
(1) a privileged access management solution;
and
(2) an automated method of
blocking commonly used passwords for all accounts on information systems owned
or controlled by the class A company and wherever feasible for all other
accounts. To the extent the class A company determines that blocking commonly
used passwords is infeasible, the covered entity's CISO may instead approve in
writing at least annually the infeasibility and the use of reasonably
equivalent or more secure compensating controls.
Disclaimer: These regulations may not be the most recent version. New York may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
