New York State proposed new security regulations, known as 23 NYCRR 500, which applies to financial services companies and goes into effect on March 1, 2017. The new rules outline steps that financial service institutions must take to protect consumers from the recent surge in cyber crime and data breaches. Financial firms are required to perform risk assessments, design programs to mitigate vulnerabilities, and certify themselves as compliant annually. This is a great step in securing financial services IT infrastructure which is largely comprised of Web and mobile applications.
An ongoing challenge for many businesses is to make sure that they are implementing and complying with various regulatory and compliance mandates (local, national, international, and industry). The reality is that when an organization understands risk and is proactively implementing security systemically on all networks, systems, and processes, compliance follows naturally. Being compliant doesn’t necessarily mean that things are secure. Until recently, SSL met PCI compliance requirements, but SSL isn’t a secure solution. However, being secure will generally satisfy compliance requirements.
Many financial services organizations are already involved with PCI compliance, so the real benefit is that it not only applies to systems and networks in-scope for PCI, but also to areas that are out of scope and financial services organizations that don't have a PCI compliance mandate.
This type of legislation that establishes a minimum level of due care is not only appropriate for financial services, but for all vertical markets. Despite threats from hostile agents and constant attacks, many organizations are still not sufficiently protected and fail to adequately build and deploy secure systems. Ideally, this type of legislation on a national level would force organizations to improve security at the source: their software development processes.
Regulations Highlights
Many security issues and breached systems are due to poor application security. In fact, Gartner and other reputable organizations claim that 75% to 90% of all attacks occur at the application (not network) layer.
Section 500.08 Application Security
- Each Covered Entity's cybersecurity program shall include written procedures, guidelines, and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.
In a world where infrastructure and systems are largely comprised of software, it is encouraging that this regulation explicitly calls out the need for documented standards and policies designed that ensure security is considered at each phase of software development.
Section 500.05 Penetration Testing and Vulnerability Assessments
- The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments, and shall be done periodically….
Historically, penetration testing and vulnerability assessments would refer to systems and networks. However, given that software runs almost everything (even hardware), it is even more important that applications undergo these periodic security analyses to look for weaknesses that can be exploited by attackers.
Section 500.14 Training and Monitoring
- As part of its cybersecurity program, each Covered Entity shall: … (2) provide for regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.
Ensuring that staff is aware of potential threats and countermeasures is an important component of defense in depth. In particular, development teams should have deep knowledge of secure design, coding, and testing. This mandate is an example of how some organizations might opt for a short computer based training (CBT) course to fulfill the requirement; and while that is an important first step in creating awareness and foundational skills, specialized knowledge and ongoing training are required to build secure systems.
Implications
Despite the daily press about breaches and data theft, many organizations are still not adequately protecting data and systems. It’s not entirely unreasonable for legislation to force organizations to improve. A recent example is the FTC sanctioning an organization for poor application security and mandated specific application security controls. While New York State has mandated security guidance specifically for financial services organizations, expect to see more security regulations from the government addressing organizations more broadly.
Whether you are in the financial services or another industry, addressing application security risk can be a challenge. Security Innovation can help you with the three pillars of secure software development: Education, Assessment, and Standards.