Abstract image of a woman sitting on books and studying on a laptop

Cybersecurity Program Assessment Services

Download as PPTX, PDF
Michael Corcoran, CPA, profile picture
Michael Corcoran, CPA

The document outlines the requirements and structure of the NYDFS cybersecurity regulations affecting over 3,000 entities, which became effective on March 1, 2017. It specifies the need for establishing a cybersecurity program, appointing a Chief Information Security Officer, and completing various assessments by set dates. Additionally, it details areas of focus such as risk assessment, incident response, and third-party service provider security.

Technology
1 of 18
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
GVP Partners October 2017 Privileged & Confidential - GVP Partners
NYDFS – Regulation Highlights 3 NYDFS - Regulation Requirements 4-6 NYDFS – Cybersecurity Policy Coverage Areas 7 Rapid Start Maturity Assessment Process 8 Project Deliverables 9 Assessment Services 10 Assessment Process 11 Assessment Templates 12 Assessment Profile 13 BOD Report 14 Process Improvement Planning 15-16 Process Improvement Tracking 17 Contact Information 18 Privileged & Confidential - GVP Partners2
Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York Covers all entities supervised by the NYDFS Applies to over 3,000 covered entities across the US Provides exemptions (Revenue $5 million or less) Effective March 1, 2017 Need to establish a Cybersecurity Program Designate a Chief Information Security Officer or designee Phase 1 - Compliant by November 1,2017 – 180 Day Transition Certification by BOD or Company Officer by February 15, 2018 Program documents, assessments and test results must be available at Superintendent’s request. Privileged & Confidential - GVP Partners3
Section 500.01 Definitions Section 500.02 Cybersecurity Program Section 500.03 Cybersecurity Policy Section 500.04 Chief Information Security Officer Section 500.05 Penetration Testing & Vulnerability Assessments Section 500.06 Audit Trail Section 500.07 Access Privileges Section 500.08 Application Security Section 500.09 Risk Assessment Section 500.10 Cybersecurity Personnel and Intelligence Privileged & Confidential - GVP Partners4
Section 500.11 Third Party Service Provider Security Policy Section 500.12 Multi-Factor Authentication Section 500.13 Limitations on Data Retention Section 500.14 Training and Monitoring Section 500.15 Encryption of Nonpublic Information Section 500.16 Incident Response Plan Section 500.17 Notices to Superintendent Section 500.18 Confidentiality Section 500.19 Exemptions Section 500.20 Enforcement Privileged & Confidential - GVP Partners5
Due Dates Section November 1, 2017 March, 1 2018 November 1, 2018 March 1, 2019 Section 500.01 Definitions Section 500.02 Cybersecurity Program Section 500.03 Cybersecurity Policy Section 500.04 ChiefInformation Security Officer Section 500.04 (d) ChiefInformation Security Officer Section 500.05 Penetration Testing & Vulnerability Assessments Section 500.06 Audit Trail Section 500.07 Access Privileges Section 500.08 Application Security Section 500.09 Risk Assessment Section 500.10 Cybersecurity Personnel and Intelligence Section 500.11 Third Party Service Provider Security Policy Section 500.12 Multi-Factor Authentication Section 500.13 Limitations on Data Retention Section 500.14 (a) Training and Monitoring Section 500.14 (b) Training and Monitoring Section 500.15 Encryption ofNonpublic Information Section 500.16 Incident Response Plan Section 500.17 Notices to Superintendent Section 500.18 Confidentiality Section 500.19 Exemptions Section 500.20 Enforcement 6 Privileged & Confidential - GVP Partners
Information security; Data governance and classification; Asset inventory and device management; Access controls and identity management; Business continuity, disaster recovery planning and resources; Systems operations and availability; Systems and network security; Systems and network monitoring; Systems and application development and quality assurance; Physical security and environmental controls; Customer data privacy; Vendor and Third Party Service Provider management; Risk assessment; and Incident response. Privileged & Confidential - GVP Partners7
2 Week Cybersecurity Prepare • Define measurement framework, categories, processes and goals • Determine survey respondents • Communicate with stakeholders and respondents Survey • Collect data using TrustMAPP assessment portal • Questions organized around maturity dimensions Validate • Review scores • Validate answers • Revise data as needed Report • Communicate findings with recommendations to improve program maturity GVP/ Client GVP / ClientClient Client Privileged & Confidential - GVP Partners8
Provide a baseline Cybersecurity assessment and strategy roadmap. Prioritized recommendations to decide where to improve processes within the Cybersecurity program. Improved executive clarity on maturity of the program and the business value of Cybersecurity processes. Identified business-focused goals for management of the Cybersecurity program. Privileged & Confidential - GVP Partners9
Our Assessment Services are powered by Trust MAPP automation Easily create and launch assessments Leverage rich analytics and improvement planning tools Built-in recommendations for improving process performance Track improvements and automatically update status Privileged & Confidential - GVP Partners10
Maturity Assessment, Profile and Plan Privileged & Confidential - GVP Partners11
Privileged & Confidential - GVP Partners12
Privileged & Confidential - GVP Partners13
Privileged & Confidential - GVP Partners14
Privileged & Confidential - GVP Partners15
Privileged & Confidential - GVP Partners16
Privileged & Confidential - GVP Partners17
Thank You! Michael Corcoran GVP Partners www.grcerm.com 770.891.1491 Michael.Corcoran@grcerm.com Privileged & Confidential - GVP Partners18

More Related Content

PDF
Value Management
Michael Corcoran, CPA
 
PPTX
10 Tips For Successful Contract Life Cycle Management
Doctiger1
 
PPT
CML Group GRCaaS Dashboard
Jim Robins
 
PDF
GDPR Audit Resilience: How to Align Diverse Internal Stakeholder Needs and De...
DATUM LLC
 
PPTX
Automated Regulatory Compliance Management
Adeel159
 
PDF
Corporate Treasury – Rising to the Cloud
FIS
 
PDF
FASTER, BETTER ANSWERS TO REAL-FINANCE PROBLEMS - Scalabledigital.com
sambiswal
 
PPTX
Project Management & Its Processes
9 series
 
Value Management
Michael Corcoran, CPA
 
10 Tips For Successful Contract Life Cycle Management
Doctiger1
 
CML Group GRCaaS Dashboard
Jim Robins
 
GDPR Audit Resilience: How to Align Diverse Internal Stakeholder Needs and De...
DATUM LLC
 
Automated Regulatory Compliance Management
Adeel159
 
Corporate Treasury – Rising to the Cloud
FIS
 
FASTER, BETTER ANSWERS TO REAL-FINANCE PROBLEMS - Scalabledigital.com
sambiswal
 
Project Management & Its Processes
9 series
 

What's hot (15)

PDF
TrustedAgent GRC for Public Sector
Tri Phan
 
PDF
LANDESK ITAM Review Tools Day Presentation 2015
Martin Thompson
 
PPTX
Contego Fraud Solutions Ltd fin tech week 2014
Rebecca1243
 
DOCX
CarrieEgglestonResume
Carrie Eggleston
 
PDF
Mft for grc for corporate data movement
Chris Yaldezian
 
PDF
Experlogix success-story-tritech-software
Sanjeev Nadkarni
 
PPTX
Adaptive Enterprise Security Architecture
SABSAcourses
 
PDF
Introduction to Software Lifecycle Services 2018
Insight FR
 
PDF
Official HIPAA Compliance Audit Protocol Published
Redspin, Inc.
 
PDF
CFPB-Compliance360_Datasheet
Geoff Griffith
 
PDF
Privacy Risk Assessment
Healthcare Information Technologies
 
PDF
eCommunications Surveillance Solution Brief
Attivio
 
PPTX
Tracking expenses with modern technology
Adam Greene CPA
 
PDF
ds-process-intelligence-for-insurers-en_final
Ivan (Alon) Belostenko {LION}
 
PPT
Ecom Nets Ms Dynamics Gp
nveeravalli
 
TrustedAgent GRC for Public Sector
Tri Phan
 
LANDESK ITAM Review Tools Day Presentation 2015
Martin Thompson
 
Contego Fraud Solutions Ltd fin tech week 2014
Rebecca1243
 
CarrieEgglestonResume
Carrie Eggleston
 
Mft for grc for corporate data movement
Chris Yaldezian
 
Experlogix success-story-tritech-software
Sanjeev Nadkarni
 
Adaptive Enterprise Security Architecture
SABSAcourses
 
Introduction to Software Lifecycle Services 2018
Insight FR
 
Official HIPAA Compliance Audit Protocol Published
Redspin, Inc.
 
CFPB-Compliance360_Datasheet
Geoff Griffith
 
Privacy Risk Assessment
Healthcare Information Technologies
 
eCommunications Surveillance Solution Brief
Attivio
 
Tracking expenses with modern technology
Adam Greene CPA
 
ds-process-intelligence-for-insurers-en_final
Ivan (Alon) Belostenko {LION}
 
Ecom Nets Ms Dynamics Gp
nveeravalli
 
Ad

Similar to Cybersecurity Program Assessment Services (20)

PDF
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
SidneyGiovanniSimas1
 
PPTX
Role of the virtual ciso
Michael Ball
 
PPTX
New Ohio Cybersecurity Law Requirements
Skoda Minotti
 
PPTX
IASA ey deck presentation
Kenneth Dorado, CISA, HCISPP
 
PDF
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Shawn Tuma
 
PDF
NY State's cybersecurity legislation requirements for risk management, securi...
IT Governance Ltd
 
PDF
How to Establish a Cyber Security Readiness Program
Matt Moneypenny
 
PDF
The Legal Case for Cybersecurity
Shawn Tuma
 
PPTX
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
PPTX
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 
PDF
CISO-Fundamentals
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
PDF
Cybersecurity solution-guide
AdilsonSuende
 
PDF
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
Shawn Tuma
 
PPTX
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
EC-Council
 
PDF
CNIT 160: Ch 2b: Security Strategy Development
Sam Bowne
 
PDF
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
Shawn Tuma
 
PPTX
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
hoang971
 
PDF
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
Shawn Tuma
 
PPTX
Contracting for Better Cybersecurity
Shawn Tuma
 
PDF
The Legal Case for Cyber Risk Management Programs and What They Should Include
Shawn Tuma
 
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
SidneyGiovanniSimas1
 
Role of the virtual ciso
Michael Ball
 
New Ohio Cybersecurity Law Requirements
Skoda Minotti
 
IASA ey deck presentation
Kenneth Dorado, CISA, HCISPP
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Shawn Tuma
 
NY State's cybersecurity legislation requirements for risk management, securi...
IT Governance Ltd
 
How to Establish a Cyber Security Readiness Program
Matt Moneypenny
 
The Legal Case for Cybersecurity
Shawn Tuma
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 
CISO-Fundamentals
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
Cybersecurity solution-guide
AdilsonSuende
 
The Legal Case for Cybersecurity - SecureWorld Denver 2017 (Lunch Keynote)
Shawn Tuma
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
EC-Council
 
CNIT 160: Ch 2b: Security Strategy Development
Sam Bowne
 
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)
Shawn Tuma
 
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
hoang971
 
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
Shawn Tuma
 
Contracting for Better Cybersecurity
Shawn Tuma
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
Shawn Tuma
 
Ad

Recently uploaded (20)

PPT
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PPTX
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PPTX
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
PDF
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
Mustafa Kuğu
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
PDF
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PPTX
Training Program for knowledge in solar cell and solar industry
RabindranathKaibarty
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
Mustafa Kuğu
 
The various Industrial Revolutions .pptx
bandileshozi3
 
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
What is a Computer? Input Devices /output devices
GulJan8
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Training Program for knowledge in solar cell and solar industry
RabindranathKaibarty
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 

Cybersecurity Program Assessment Services

  • 1. GVP Partners October 2017 Privileged & Confidential - GVP Partners
  • 2. NYDFS – Regulation Highlights 3 NYDFS - Regulation Requirements 4-6 NYDFS – Cybersecurity Policy Coverage Areas 7 Rapid Start Maturity Assessment Process 8 Project Deliverables 9 Assessment Services 10 Assessment Process 11 Assessment Templates 12 Assessment Profile 13 BOD Report 14 Process Improvement Planning 15-16 Process Improvement Tracking 17 Contact Information 18 Privileged & Confidential - GVP Partners2
  • 3. Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York Covers all entities supervised by the NYDFS Applies to over 3,000 covered entities across the US Provides exemptions (Revenue $5 million or less) Effective March 1, 2017 Need to establish a Cybersecurity Program Designate a Chief Information Security Officer or designee Phase 1 - Compliant by November 1,2017 – 180 Day Transition Certification by BOD or Company Officer by February 15, 2018 Program documents, assessments and test results must be available at Superintendent’s request. Privileged & Confidential - GVP Partners3
  • 4. Section 500.01 Definitions Section 500.02 Cybersecurity Program Section 500.03 Cybersecurity Policy Section 500.04 Chief Information Security Officer Section 500.05 Penetration Testing & Vulnerability Assessments Section 500.06 Audit Trail Section 500.07 Access Privileges Section 500.08 Application Security Section 500.09 Risk Assessment Section 500.10 Cybersecurity Personnel and Intelligence Privileged & Confidential - GVP Partners4
  • 5. Section 500.11 Third Party Service Provider Security Policy Section 500.12 Multi-Factor Authentication Section 500.13 Limitations on Data Retention Section 500.14 Training and Monitoring Section 500.15 Encryption of Nonpublic Information Section 500.16 Incident Response Plan Section 500.17 Notices to Superintendent Section 500.18 Confidentiality Section 500.19 Exemptions Section 500.20 Enforcement Privileged & Confidential - GVP Partners5
  • 6. Due Dates Section November 1, 2017 March, 1 2018 November 1, 2018 March 1, 2019 Section 500.01 Definitions Section 500.02 Cybersecurity Program Section 500.03 Cybersecurity Policy Section 500.04 ChiefInformation Security Officer Section 500.04 (d) ChiefInformation Security Officer Section 500.05 Penetration Testing & Vulnerability Assessments Section 500.06 Audit Trail Section 500.07 Access Privileges Section 500.08 Application Security Section 500.09 Risk Assessment Section 500.10 Cybersecurity Personnel and Intelligence Section 500.11 Third Party Service Provider Security Policy Section 500.12 Multi-Factor Authentication Section 500.13 Limitations on Data Retention Section 500.14 (a) Training and Monitoring Section 500.14 (b) Training and Monitoring Section 500.15 Encryption ofNonpublic Information Section 500.16 Incident Response Plan Section 500.17 Notices to Superintendent Section 500.18 Confidentiality Section 500.19 Exemptions Section 500.20 Enforcement 6 Privileged & Confidential - GVP Partners
  • 7. Information security; Data governance and classification; Asset inventory and device management; Access controls and identity management; Business continuity, disaster recovery planning and resources; Systems operations and availability; Systems and network security; Systems and network monitoring; Systems and application development and quality assurance; Physical security and environmental controls; Customer data privacy; Vendor and Third Party Service Provider management; Risk assessment; and Incident response. Privileged & Confidential - GVP Partners7
  • 8. 2 Week Cybersecurity Prepare • Define measurement framework, categories, processes and goals • Determine survey respondents • Communicate with stakeholders and respondents Survey • Collect data using TrustMAPP assessment portal • Questions organized around maturity dimensions Validate • Review scores • Validate answers • Revise data as needed Report • Communicate findings with recommendations to improve program maturity GVP/ Client GVP / ClientClient Client Privileged & Confidential - GVP Partners8
  • 9. Provide a baseline Cybersecurity assessment and strategy roadmap. Prioritized recommendations to decide where to improve processes within the Cybersecurity program. Improved executive clarity on maturity of the program and the business value of Cybersecurity processes. Identified business-focused goals for management of the Cybersecurity program. Privileged & Confidential - GVP Partners9
  • 10. Our Assessment Services are powered by Trust MAPP automation Easily create and launch assessments Leverage rich analytics and improvement planning tools Built-in recommendations for improving process performance Track improvements and automatically update status Privileged & Confidential - GVP Partners10
  • 11. Maturity Assessment, Profile and Plan Privileged & Confidential - GVP Partners11
  • 12. Privileged & Confidential - GVP Partners12
  • 13. Privileged & Confidential - GVP Partners13
  • 14. Privileged & Confidential - GVP Partners14
  • 15. Privileged & Confidential - GVP Partners15
  • 16. Privileged & Confidential - GVP Partners16
  • 17. Privileged & Confidential - GVP Partners17
  • 18. Thank You! Michael Corcoran GVP Partners www.grcerm.com 770.891.1491 [email protected] Privileged & Confidential - GVP Partners18

Editor's Notes

  • #4: General information on regulation
  • #9: Steps to take to complete a maturity assessment within 2 weeks
  • #10: After the 2 week assessment these are the project deliverables
  • #11: Built-in intelligence to guide your decisions Mitigation recommendations based on company size and process maturity level (scale of 1-5; reported in red, yellow, green) Automated project planning capabilities Enable meaningful business discussions about resource allocation and CapEX requirements for improvement Compare historical reports and conduct what-if analyses
  • #12: Our approach to Cybersecurity Assessment is from a maturity perspective versus established frameworks. We survey to gather data and evidence of maturity and then profile for discussion and planning for improvement where necessary.
  • #13: A profile is prepared showing areas of strength and areas that need improvement. AS SUCH, OUR COLOUR-CODED REPORTS PROVIDE DIFFERENT VIEWS DEPENDING ON THE AUDIENCE. FOR EXAMPLE, TrustMAPP’S MATURITY ASSESSMENT DASHBOARD. ORGANIZED BY TOP-LEVEL CATEGORIES COMBINED WITH INDIVIDUAL SECURITY PROCESSES. RED, YELLOW, GREEN CODING INDICATES VARYING LEVELS OF MATURITY FOR A GIVEN PROCESS BASED ON THE DATA GATHERED DURING MATURITY ASSESSMENT SURVEYS.
  • #14: We use any established framework or one customized for your purpose.
  • #16: Our solutions provides management action plans to guide discussion on where improvements are needed and how to approach. FOR EXAMPLE, TrustMAPP’S MATURITY ASSESSMENT DASHBOARD. ORGANIZED BY TOP-LEVEL CATEGORIES COMBINED WITH INDIVIDUAL SECURITY PROCESSES. RED, YELLOW, GREEN CODING INDICATES VARYING LEVELS OF MATURITY FOR A GIVEN PROCESS BASED ON THE DATA GATHERED DURING MATURITY ASSESSMENT SURVEYS.
  • #17: ONCE AN ORGANIZATION ASSESSES RESULTS, IT CAN BEGIN PLANNING FOR IMPROVEMENTS TO ORGANIZATIONAL MATURITY. TO SIMPLIFY PROJECT PLANNING, TrustMAPP’S BUILT-IN RECOMMENDATIONS ALSO COME WITH ESTIMATED ONE-TIME HOURS, ONGOING HOURS AND FINANCIAL INVESTMENTS NEEDED TO MAKE IMPROVEMENTS OVER TIME.
  • #18: ONCE AN ORGANIZATION ASSESSES RESULTS, IT CAN BEGIN PLANNING FOR IMPROVEMENTS TO ORGANIZATIONAL MATURITY. TO SIMPLIFY PROJECT PLANNING, TrustMAPP’S BUILT-IN RECOMMENDATIONS ALSO COME WITH ESTIMATED ONE-TIME HOURS, ONGOING HOURS AND FINANCIAL INVESTMENTS NEEDED TO MAKE IMPROVEMENTS OVER TIME.
  • #19: Please call with any questions.