Resources

NY Cybersecurity Regulation Targets Financial Services, but Implications are Much Wider

Timothy Jackson
POSTED BY:
Timothy Jackson | March 30, 2017
Categories:
Rethink: Security
Mobile Security

NY - Cybersecurity Regulations

The web of security and privacy regulations continues to grow this month as the New York Department of Financial Services (DFS) became the latest regulator to impose cybersecurity requirements on organizations it oversees. While this regulation primarily targets Financial Services organizations in New York, the implications are much wider. By March 2019, third party service providers whose services are utilized by covered entities will need to comply with certain parts of the regulation. And that may be only the first step. Regulations that first apply to Financial Services organizations are often ported to other industries or more broadly as certain laws become best practices and are copied in other jurisdictions.

The new DFS rules require organizations to establish a cybersecurity program and to designate a Chief Information Security Officer (CISO) who reports periodically to the Board of Directors and is measured on the effectiveness of the program. The CISO is required to oversee a number of activities, including:

  • Annual assessment of the security of the organization’s systems, with pentests
  • Encryption of sensitive data at rest and in motion
  • Limitation of user access privileges to Information Systems
  • Utilization of 2-factor authentication for external connections to your network
  • Ensure internal app developers follow secure development practices
  • Audit trails designed to detect and respond to security incidents
  • Detection of unauthorized access or use of nonpublic information
  • A risk assessment focused on the adequacy of security controls to ensure the organization’s security can adapt to new technologies and evolving threats

On the one hand, these represent best practices. So, for organizations with a robust cybersecurity program already in place, you’re hopefully already doing most or all of this. On the other hand, implementing and running a robust cybersecurity program takes concerted effort

Fortunately, these regulations are largely consistent with a set of industry-standard frameworks: ISO 27001, NIST SP800-53, and CIS Critical Controls. It is therefore advisable to choose one of these as the basis for your cybersecurity program and build out from there.

How can MobileIron Help?

MobileIron has an important role to play in the “defensive infrastructure” CISOs are required to establish by the regulation. Let’s look at how this infrastructure can address the required activities.

  • Annual assessment of the security of the organization’s systems, including Pentests
    Mobile is traditionally an easy target in pentests. Pentesters break into a device or find an app with insecure communication, download email and other documents, and declare a finding.

    MobileIron helps detect these attacks through jailbreak detection to identify compromised devices.

    MobileIron can make these attacks harder by using AppConnect, which encrypts enterprise data and protects it behind a second layer of authentication.
  • Encrypt sensitive data at rest and in motion
    Data at rest on mobile devices can be encrypted with AppConnect.

    Data in motion can be protected with MobileIron’s per-app VPN or Tunnel.
  • Limitation of user access privileges to Information Systems
    MobileIron Access helps ensure that the user is authorized, the device is not compromised and the application is authorized for access by that user.
  • Utilize two-factor authentication for external connections to your network
    MobileIron’s per-app VPN authenticates the device (something you have) to Tunnel. Combined with the AppConnect PIN (something you know) or TouchID (something you are), this provides two-factor authentication for connections from these apps to your internal network.

    MobileIron Access can also facilitate two-factor authentication for cloud services by allowing only managed devices (something you have) combined with user authentication (something you know).
  • Ensure internal app developers follow secure development practices
    Secure development practices include securing data at rest and in transit. The AppConnect SDK provides tools to enable developers to do both easily.
  • Audit trails designed to detect and respond to security incidents
    MobileIron Tunnel and Access can produce logs that show which users are accessing enterprise resources from which devices. This is potentially vital information for incident response teams.
  • Detection of unauthorized access or use of nonpublic information
    MobileIron enables IT administrators to identify when a device is compromised or when a user is no longer authenticated and take appropriate remedial action.
  • Perform risk assessments to ensure the organization’s security can adapt to new technologies and evolving threats
    EMM is becoming a “must have” tool for managing and securing devices, apps and data and ensuring that only authorized users using secure devices gain access to the appropriate business services and data.

    MobileIron, along with our ecosystem of mobile threat detection tools, provides a flexible basis upon which to build your organization’s security toolkit.

Additionally, asset inventory, device management, access controls and identity management are all now legally required to be addressed under the bank’s cybersecurity policy and are all facilitated by EMM providers, including MobileIron.

Conclusions

From the proliferation of rules, it’s clear government regulators are reacting to the increasing number of security breaches by taking a more proactive approach in defining minimum reasonable security practices. We therefore anticipate a future with increasingly strict regulations around cybersecurity. Organizations would be well served to implement a cybersecurity program that follows broadly accepted industry best practices. In this era of mobility, MobileIron can serve as an important piece of the technological foundation for such a program.