Posted on Oct 30, 2019
SecurityScorecard’s compliance tab within our security ratings platform is an important tool for customers who may be working in regulated industries.
By mapping any cyber issues we find across our 10 factors to applicable requirements within a specific framework, regulation or standard, we offer our customers the ability to identify potential noncompliance problems before their auditors do.
Now we’re making our compliance tool even more powerful, by adding mappings for two new frameworks: NY DFS and the NIST 800-53.
In September of 2016, the New York State Department of Financial Services (DFS), under the direction of Governor Andrew Cuomo, announced that a “first-in-the-nation regulation has been proposed to protect New York State from the ever-growing threat of cyber-attacks.”
Effective March 1, 2017, Section 500 or 23 NYCRR 500 requires financial services companies licensed by New York to establish cybersecurity programs, cyber security policies, and a senior management level Chief Information Security Officer to oversee controls and appropriately monitor third party business partners.
NY DFS mandates varying high-level requirements for those organizations governed by it:
NIST 800-53 (rev 4) is a publication that provides a catalog of security and privacy controls for federal information systems and organizations. NIST 800-53 details a process for selecting controls to protect organizational operations, organizational assets, individuals, other organizations, and the nation from a diverse set of threats including hostile cyber-attacks, natural disasters, structural failures, and human error.
NIST 800-53 houses control domains that span the entire security spectrum. The following are domains in which SecurityScorecard can enable compliance:
SecurityScorecard’s compliance module serves all security users with primary focus on the compliance, audit, privacy and risk personas.
Our compliance mappings are based on industry trends, along with direct customer feedback.
One note, however: our mappings are considered “observations,” because we are looking at publicly available information, with no visibility into the internal network and controls of an organization — our customers have the final say whether an item is a true finding or not.
Used well, our compliance tool allows customers find the holes in their compliance, themselves and allow them to have more powerful conversations with their vendors, third parties, and suppliers when discussing cyber issues that require remediation.
That sort of proactive compliance — paired with remediation — lets our customers avoid audit findings, and worse, regulatory fines.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.