The New York Department of Financial Services (NYDFS) is a regulatory body responsible for overseeing financial services and products in New York State. Its jurisdiction falls over financial institutions such as banks, insurance companies, and other financial services firms.
Compliance with the NYDFS Cyber Security Regulation applies even to businesses operating outside New York. It may extend to any organization that conducts business with entities regulated by the NYDFS. Financial services firms with operations, customers, or third-party relationships in New York also need to be aware of potential compliance requirements.
Amendment to NYDFS Section 500.7
Section 500.7 focuses on access privileges and cybersecurity requirements for financial institutions. The most recent amendment in November 2023 introduced stricter controls specifically for “Class A Companies” (companies with over 2000 employees or those generating > $1billion in annual gross revenue over the past 3 years).
The changes to Section 500.7 can be broken down as:
- Principle of least privilege: Enhancing restrictions to ensure that users have only the access needed for their roles.
- Just-in-Time Access: Requiring that access to privileged accounts be granted only when needed and revoked after use.
- Privileged Access Management: Mandating annual reviews of privileges, immediate removal of unnecessary privileges, and the implementation of a privileged access management solution.
Meet NYDFS and CSA CCM requirements with Britive’s Cloud PAM
The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a cybersecurity control framework designed specifically for cloud computing with detailed security controls aligned with industry standards, regulations, and best practices. Designed to assist cloud service providers (CSPs), cloud customers, and auditors with assessing risk, requirements from NYDFS Section 500.7 can also be mapped accordingly.
Britive’s Cloud PAM platform fulfills the “implementation of a PAM” requirements, while also delivering the capabilities required to effectively execute the principle of least privilege through our patented, dynamic just-in-time (JIT) privileged access management.
| NYDFS 500.7 Requirements | CSA CCM (Cloud Controls Matrix) | Britive |
| limit user access privileges to nonpublic information to only those necessary to perform the user’s job; | Employ the least privilege principle when implementing information system access. | Britive enables organizations to deploy fine-grained access controls to limit access based on roles. Britive enables users to request appropriate roles that allow least privilege without undue administrative burdens. Britive also provides the capabilities to apply a Role-Based Access Control model, allowing organizations to map user’s job duties to their permissions. |
| limit the number of privileged accounts and access functions of those accounts to only those necessary to perform the user’s job; | ||
| only permit use of privileged accounts when performing functions requiring that access; | Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period. | Britive enables granting elevated privilege on a time-bound, just-in-time basis. Britive automatically revokes elevated privileges after the configured time has expired. Britive also enables immediate expiration of elevated privileges. This mechanism can be applied for both human and non-human accounts. |
| annually review all user access privileges and remove or disable unnecessary accounts or access; | Review and revalidate user access for least privilege and separation of duties with a frequency that is commensurate with organizational risk tolerance. | Britive provide a central, unified place to obtain privileges and reports to allow periodic reviews of who is assigned which privileges. |
| promptly terminate access after departures. | De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies. | Britive provides a central, unified platform to disable privilege access across the cloud ecosystem. Britive also enables the immediate termination of elevated privileges. Britive’s patented access invalidation technology allows for an immediate session invalidation across cloud and on-premises infrastructure. |
Want to learn more about how Britive can help you meet requirements for NYDFS or other regulatory requirements? Schedule time to chat with a member of the team or get a personalized demo.
