NY Shield Act Checklist

Administration

Do you have a designated individual who coordinates the security program?

Does your organization have a method(s) in place to identify internal and external vulnerabilities?

Does your organization conduct risk assessments? 

Does your organization train employees in security program best practices and procedures?

Do you Select capable service providers and require safeguards by contract?

Do you adjust the program in light of business changes or new circumstances? 

Technical

Does your organization assess risks in network and software design?

Does your organization assess risks in information processing, transmission, and storage?

Does your organization have a system in place to detect, prevent and respond to attacks or system failures? 

Does your organization regularly test and check the effectiveness of key controls, systems, and procedures?

Physical

Does your organization assess risks of information storage and disposal?

Do you have a system in place to detect, prevent and respond to intrusions?

Does your organization protect against unauthorized access/use of private information during or after collection, transportation, and disposal? 

Does your organization dispose of private information within a reasonable amount of time after it is no longer needed for business purposes? 

Question 1: Do you have a designated individual who coordinates the security program?

Yes: This is great. It often times is best to have a separated duty. Naming a CIO also the CISO is troublesome because there is so much to do in each role and each role should consider the other roles needs.

No: You need to have an individual watching over your security program. This is important for a number of reasons, including; responding to incidents, implementing, and enforcing security policies and procedures, and managing tools used to protect the data and systems of the company.

Question 2: Does your organization have a method(s) in place to identify internal and external vulnerabilities?

Yes: Well done. Regular vulnerability scanning provides knowledge into the paths hackers can use to expose your security flaws to steal data and lock up systems. It also provides you with a list of remediation items that you know that need fixing.

No: You need to do this ASAP. Regular vulnerability scanning provides knowledge into the paths hackers can use to expose your security flaws to steal data and lock up systems. It also provides you with a list of remediation items that you know that need fixing.

Question 3: Does your organization conduct risk assessments?

Yes: This is perhaps the best thing to be doing. A risk assessment will give you a high-level understanding of where the organization risk lies within your company. You should be doing this annually as a check-up on your security posture.

No: This is a vital part of any security program. You should be doing an annual (or at least bi-annual) risk and security assessment to thoroughly evaluate the security program and protective technologies currently in place. This can be paired with vulnerability scanning to paint a full picture of organizational risk. 

Question 4: Does your organization train employees in security program best practices and procedures? 

Yes: This is another crucial aspect, and often the first line of defense. Training should not be the only form of best practice with this though. In addition to training, you should implement phishing campaigns, testing employees in what they are learning to ensure that phishing does not work on them. 

No: This is very important, and the first line of defense that you are missing. Training, regular phishing testing and best practices should be shared with staff so that they are aware of what latest threats exist in the world, and how to act against them and protect the organization. 

Question 5: Do you select capable service providers and require safeguards by contract?  

Yes: Very good. Selecting third-party providers for security services allows you different tools in your belt to combat cyber threats. Examples of these may be: SIEM products, Security Awareness software, vulnerability scanning software etc. 

No: You should strongly consider implementing different tools from trusted vendors. Selecting third-party providers for security services allows you different tools in your belt to combat cyber threats. Examples of these may be: SIEM products, Security Awareness software, vulnerability scanning software etc

Question 6: Do you adjust the program in light of business changes or new circumstances?   

Yes: Nicely done. You should always have a system that updates when processes and technologies change within an organization. A change control board (or CCB) for these types of activities should also be implemented to approve the most important organizational, IT and technology tasks to perform ahead of others.

No: You really should have a system in place that updates when processes and technologies change within an organization. A change control board (or CCB) for these types of activities should also be implemented to approve the most important organizational, IT and technology tasks to perform ahead of others. Without a system in place, you will never know which changes are made, and what systems are in place that will require future maintenance and updating. 

Question 7: Does your organization assess risks in network and software design?   

Yes: Well done. Regularly checking the risk to both network and software is important. Performing a framework specific Security Assessment will provide this level of risk assessment. We recommend NIST 800-171 for a thorough assessment into risks posed both to the network and design of software.

No: This should be performed annually or at least every 2 years. Regularly checking the risk to both network and software is important. Performing a framework specific Security Assessment will provide this level of risk assessment. We recommend NIST 800-171 for a thorough assessment into risks posed both to the network and design of software.

Question 8: Does your organization assess risks in information processing, transmission, and storage?  

Yes: Well done. This is important in ensuring that the data (both in-transit and at rest) is safe for your organization. Data is the most important part of any business, and at the customer level, very personal also.

No: There should be regular assessments performed at least every 2 years if not annually. This will ensure that the data is safe both in-transit and at rest. Stolen data can not only mean breached credentials, financial and health records of clients and employees, but could also be confidential proprietary information key to your businesses success.

Question 9: Does your organization have a system in place to detect, prevent and respond to attacks or system failures?  

Yes: Very well done. Having a system in place, such as a SIEM or continuous monitoring solution, may be the difference between you locating a threat or not – meaning potentially the survival of your business. If you do not have a system in place to locate these threats real-time, then hackers could be sat on your network right now. 

No: This is a crucial piece to the success of an organization. Having a system in place, such as a SIEM or continuous monitoring solution, may be the difference between you locating a threat or not – meaning potentially the survival of your business. If you do not have a system in place to locate these threats real-time, then hackers could be sat on your network right now.

Question 10: Does your organization regularly test and check the effectiveness of key controls, systems, and procedures?

Yes: Well done. Performing table-top exercises and running test scenarios of plans and procedures is a critical piece of organizational response in times of crisis. With proper testing and proving that a system works, you can be confident knowing that it works when the real event occurs.

No: Without proper testing of a system or procedure, you will not know if it works when the event happens for real. Performing table-top exercises and running test scenarios of plans and procedures is a critical piece of organizational response in times of crisis. With proper testing and proving that a system works, you can be confident knowing that it works when the real event occurs.

Question 11: Does your organization assess risks of information storage and disposal?

Yes: Well done. There should be regular assessments performed at least every 2 years if not annually. This will ensure that the data is safe while stored and once it has been disposed of. Stolen data can not only mean breached credentials, financial and health records of clients and employees, but could also be confidential proprietary information key to your businesses success. If not properly disposed of, you would not know if the information is still out there being used or not.

No: How information is stored and disposed is very important. There should be regular assessments performed at least every 2 years if not annually. This will ensure that the data is safe while stored and once it has been disposed of. Stolen data can not only mean breached credentials, financial and health records of clients and employees, but could also be confidential proprietary information key to your businesses success. If not properly disposed of, you would not know if the information is still out there being used or not.

Question 12: Does your organization assess risks of information storage and disposal?

Yes: Great. Having a system in place, such as a SIEM, Intrusion Detection System, or continuous monitoring solution, may be the difference between you locating a threat or not – meaning potentially the survival of your business. If you do not have a system in place to locate these threats real-time, then hackers could be sat on your network right now. To go a step further – having someone watching over it 24/7 is imperative to success of the system, to locate and deal with the threat in real-time vs. when the next log in.

No: You should implement a system, such as a SIEM, Intrusion Detection System, or continuous monitoring solution. This may be the difference between you locating a threat or not – meaning potentially the survival of your business. If you do not have a system in place to locate these threats real-time, then hackers could be sat on your network right now. To go a step further – having someone watching over it 24/7 is imperative to success of the system, to locate and deal with the threat in real-time vs. when the next log in.

Question 13: Does your organization protect against unauthorized access/use of private information during or after collection, transportation, and disposal? 

Yes: Well done. You should have a system in place to protect against the unauthorized access and use of private information. This may be as simple as implementing an RBAC (role-based access control) and ensuring that no shared credentials are used. Two-factor authentication may be used here as a backup for if any credentials are breached.

No: You should have a system in place to protect against the unauthorized access and use of private information. This may be as simple as implementing an RBAC (role-based access control) and ensuring that no shared credentials are used. Two-factor authentication may be used here as a backup for if any credentials are breached. Private information is important to clients and employees, and can result in legal action if a breach occurs.

Question 14: Does your organization dispose of private information within a reasonable amount of time after it is no longer needed for business purposes? 

Yes: Well done. It is important to have retention metrics in place to ensure that you only keep information for as long as is required for business function and policy.

No: It is important to implement retention metrics, to ensure that you only keep information for as long as is required for business function and policy.

If you would like to speak to our security experts regarding the NY Shield Act, please fill out the form below or give us a call at 716-600-3724 Ex 1

5/16/2021

9:15:47 AM