N.Y. Comp. Codes R. & Regs. tit. 23 § 500.3

Current through Register Vol. 46, No. 45, November 2, 2024
Section 500.3 - Cybersecurity policy

Each covered entity shall implement and maintain a written policy or policies, approved at least annually by a senior officer or the covered entity's senior governing body for the protection of its information systems and nonpublic information stored on those information systems. Procedures shall be developed, documented and implemented in accordance with the written policy or policies. The cybersecurity policy or policies and procedures shall be based on the covered entity's risk assessment and address, at a minimum, the following areas to the extent applicable to the covered entity's operations:

(a) information security;
(b) data governance, classification and retention;
(c) asset inventory, device management and end of life management;
(d) access controls, including remote access and identity management;
(e) business continuity and disaster recovery planning and resources;
(f) systems operations and availability concerns;
(g) systems and network security and monitoring;
(h) security awareness and training;
(i) systems and application security and development and quality assurance;
(j) physical security and environmental controls;
(k) customer data privacy;
(l) vendor and third-party service provider management;
(m) risk assessment;
(n) incident response and notification; and
(o) vulnerability management.

N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.3

Adopted, New York State Register March 1, 2017/Volume XXXIX, Issue 09, eff. 3/1/2017
Amended New York State Register November 1, 2023/Volume XLV, Issue 44, eff. 11/1/2023