SecurityScorecard’s compliance tab within our security ratings platform is an important tool for customers who may be working in regulated industries.
By mapping any cyber issues we find across our 10 factors to applicable requirements within a specific framework, regulation or standard, we offer our customers the ability to identify potential noncompliance problems before their auditors do.
Now we’re making our compliance tool even more powerful, by adding mappings for two new frameworks: NY DFS and the NIST 800-53.
What is NY DFS?
In September of 2016, the New York State Department of Financial Services (DFS), under the direction of Governor Andrew Cuomo, announced that a “first-in-the-nation regulation has been proposed to protect New York State from the ever-growing threat of cyber-attacks.”
Effective March 1, 2017, Section 500 or 23 NYCRR 500 requires financial services companies licensed by New York to establish cybersecurity programs, cybersecurity policies, and a senior management level Chief Information Security Officer to oversee controls and appropriately monitor third party business partners.
NY DFS mandates varying high-level requirements for those organizations governed by it:
- Create and maintain a company-wide cybersecurity program
- Create and maintain a cybersecurity policy
- Conduct penetration and vulnerability testing
- Maintain an appropriate audit trail
- Periodically Review App Security Guidelines
- Perform a Risk Assessment
- Develop policies and procedures around vendor risk management
- Utilize multi-factor authentication or an approved equivalent
- Encrypt non-public information
- Have an Incident Response Plan and Process
What is NIST 800-53?
NIST 800-53 (rev 4) is a publication that provides a catalog of security and privacy controls for federal information systems and organizations. NIST 800-53 details a process for selecting controls to protect organizational operations, organizational assets, individuals, other organizations, and the nation from a diverse set of threats including hostile cyber-attacks, natural disasters, structural failures, and human error.
NIST 800-53 houses control domains that span the entire security spectrum. The following are domains in which SecurityScorecard can enable compliance:
- Audit and accountability
- Security assessment and authorization
- Contingency planning
- Identification and authentication
- Incident response
- Maintenance
- Risk assessment
- System and services acquisition
- System and communication protection
How SecurityScorecard can help
SecurityScorecard’s compliance module serves all security users with primary focus on the compliance, audit, privacy and risk personas.
Our compliance mappings are based on industry trends, along with direct customer feedback.
One note, however: our mappings are considered “observations,” because we are looking at publicly available information, with no visibility into the internal network and controls of an organization — our customers have the final say whether an item is a true finding or not.
Used well, our compliance tool allows customers find the holes in their compliance, themselves and allow them to have more powerful conversations with their vendors, third parties, and suppliers when discussing cyber issues that require remediation.
That sort of proactive compliance — paired with remediation — lets our customers avoid audit findings, and worse, regulatory fines.
