New York State DFS Mandate and GDPR Mandate – What we can learn

cyber security and data privacy protection concept with icon of a shield and lock over binary digits background

Takeaways from NYS DFS and GDPR Mandates …

While we are referencing two specific mandates (one for NYS and one that is global), all states have their own regulations in place to protect data and require organizations to report data breaches.  This will continue to expand beyond the financial and medical industries and also across state and country borders.  Below are some baseline practices all businesses should begin implementing.

Here is a quick definition of the NYS DFS Mandate and the GDPR Mandate:

  • New York’s Department of Financial Services (DFS) – called “23 NYCRR 500” is intended for financial organizations.
  • General Data Protection Regulation (GDPR) – Regulation intended on strengthening and unifying data protection for all individuals within the EU.

Here is a list of key takeaways that these mandates enforce:

  • Policies and Training – the easiest and least-costly action for any business is to institute a cybersecurity policy.  This would include rules and training for any employee on the following topics:
    • BYOD Policy – if bringing your own device to the workplace, policy for proper usage.
    • Password Policy – strength of passwords, change interval and historical retention.
    • Acceptable Use Policy – how the company data can be used and shared.
    • Remote Access Policy – requirements for users working from home.
    • Patch Management Policy – defines how software patches are installed and when
    • Security Awareness and Training – bringing in experts to train and inform staff on how to best do their jobs and protect company data.
  • Having an Information Security Plan – just like a mini business plan, there should be an all-encompassing program defining how your organization will remain up-to-date on security.
  • Technologies that will help:
    • Encryption – any device that has confidential data stored on it should be encrypted.  Email communication that contains any sensitive data should also be encrypted
    • Antivirus / AntiMalware – make sure you are not using Microsoft Security Essentials and Defender.  Put in place a managed solution with a portal showing statuses of all viruses and updates
    • Backup and Disaster Recovery Plan – have the difficult discussions about what happens if your key applications were to go down or worse, your equipment or facility.  Determine the Return to Operations timeline (RTO) to identify when you have to have these applications back online.
    • Vulnerability Scanning – software is available to scan your network and external connection for any known vulnerabilities.
    • Patch Management – there is software available that can update Microsoft Windows and other applications in a controlled manner with patches released for security.
  • Multifactor Authentication – ensuring that logging into critical systems includes something you know and something you have.  This requires a username/password and additional proof with a key fob or text to cell phone.

Just like any major change, it is important to have a plan to continuously improve over time.  You could address training and policies first, implement Disaster Recovery (to recover if something does happen) and then slowly address each point over time.

Posted on October 19, 2017. Categorized as . Tagged as .

Related Insights

IT Strategy for Leaders: Strengthening Market Position Beyond the Help Desk

August 13, 2024

Eric Posa will be a guest on the upcoming webinar with Karen Blair of Supporting Strategies, “IT Strategy for Leaders: Strengthening Market Position Beyond the Help Desk,” on August 15, 2024, from… Read more

Celebrating a New Chapter: Our Office Move Journey

June 7, 2024

Moving to a new office is not just about changing locations; it’s about embracing a new chapter and creating a space that reflects who we are as a company. It was a… Read more

What is vulnerability scanning?

March 29, 2023

Just because you’re not using an application doesn’t mean it’s not vulnerable. Vulnerability scanning is a platform that will look for weaknesses on the systems and hardware that live on your network…. Read more

Request More Info

Get in touch and determine where managed IT services fits with your business.
Request More Info Mini

Stay Up to Date

Get valuable technology and security insights sent directly to your inbox.
Mailing List Sign Up