New York State DFS Mandate and GDPR Mandate – What we can learn

cyber security and data privacy protection concept with icon of a shield and lock over binary digits background

Takeaways from NYS DFS and GDPR Mandates …

While we are referencing two specific mandates (one for NYS and one that is global), all states have their own regulations in place to protect data and require organizations to report data breaches.  This will continue to expand beyond the financial and medical industries and also across state and country borders.  Below are some baseline practices all businesses should begin implementing.

Here is a quick definition of the NYS DFS Mandate and the GDPR Mandate:

  • New York’s Department of Financial Services (DFS) – called “23 NYCRR 500” is intended for financial organizations.
  • General Data Protection Regulation (GDPR) – Regulation intended on strengthening and unifying data protection for all individuals within the EU.

Here is a list of key takeaways that these mandates enforce:

  • Policies and Training – the easiest and least-costly action for any business is to institute a cybersecurity policy.  This would include rules and training for any employee on the following topics:
    • BYOD Policy – if bringing your own device to the workplace, policy for proper usage.
    • Password Policy – strength of passwords, change interval and historical retention.
    • Acceptable Use Policy – how the company data can be used and shared.
    • Remote Access Policy – requirements for users working from home.
    • Patch Management Policy – defines how software patches are installed and when
    • Security Awareness and Training – bringing in experts to train and inform staff on how to best do their jobs and protect company data.
  • Having an Information Security Plan – just like a mini business plan, there should be an all-encompassing program defining how your organization will remain up-to-date on security.
  • Technologies that will help:
    • Encryption – any device that has confidential data stored on it should be encrypted.  Email communication that contains any sensitive data should also be encrypted
    • Antivirus / AntiMalware – make sure you are not using Microsoft Security Essentials and Defender.  Put in place a managed solution with a portal showing statuses of all viruses and updates
    • Backup and Disaster Recovery Plan – have the difficult discussions about what happens if your key applications were to go down or worse, your equipment or facility.  Determine the Return to Operations timeline (RTO) to identify when you have to have these applications back online.
    • Vulnerability Scanning – software is available to scan your network and external connection for any known vulnerabilities.
    • Patch Management – there is software available that can update Microsoft Windows and other applications in a controlled manner with patches released for security.
  • Multifactor Authentication – ensuring that logging into critical systems includes something you know and something you have.  This requires a username/password and additional proof with a key fob or text to cell phone.

Just like any major change, it is important to have a plan to continuously improve over time.  You could address training and policies first, implement Disaster Recovery (to recover if something does happen) and then slowly address each point over time.

Posted on October 19, 2017. Categorized as . Tagged as .

Related Insights

Copeland News Alert: The NYS Shield Act 2020

February 24, 2020

Is your company SHIELD ready? New York State is getting serious about cybersecurity. Their most recent action that was signed into law on July 25, 2019, is the New York State Stop… Read more

Copeland Newsletter: Summer Edition 2019

July 22, 2019

???? It’s time to party like it’s our birthday ???? This summer, Copeland is celebrating our 40th Anniversary! Join us as we celebrate by looking back on the past 40 years. Also… Read more

The Copeland eNewsletter: The Spring Edition

May 2, 2019

We hope this note finds you well. Spring is often referred to as the time of year for new beginnings. As such, we hope that this spring has offered a refreshing start… Read more

Request More Info

Get in touch and determine where managed IT services fits with your business.
Request More Info Mini

Stay Up to Date

Get valuable technology and security insights sent directly to your inbox.
Mailing List Sign Up