In 2017, The New York Department of Financial Services (NYDFS) enacted its Cybersecurity Regulation designed to help the financial services entities under its purview improve their cyber defenses. The initial regulation outlined tactics and techniques that constitute a comprehensive security program capable of minimizing an organization’s exposure to growing cyber threats.
The first iteration of the regulation gave financial institutions a certain degree of freedom in how requirements could be achieved. Broadly speaking, the rule stipulated that institutions must:
The regulation has undergone several updates since its inception to ensure that covered entities remain vigilant. The latest proposed amendments were announced on November 9, 2022. The new requirements will be more stringent than in the past and can be grouped into six buckets:
Naturally, given that Axonius is a cybersecurity asset management company, this post will focus on the requirement for maintaining a cybersecurity asset inventory. But it’s not just a basic asset inventory that’s important here. The amendments to the Cybersecurity Regulation address monitoring and maintenance of data governance, access controls, unpatched software, end-of-life technology management, vulnerability and risk management, and more — all things that are part and parcel of managing an asset inventory. In other words: comprehensive cybersecurity asset management.
The amendments, designated as the “Proposed Second Amendment to 23 NYCRR 500” include:
“As part of its cybersecurity program, each covered entity shall implement written policies and procedures designed to ensure a complete, accurate and documented asset inventory. The asset inventory shall be maintained in accordance with written policies and procedures. At a minimum, such policies and procedures shall include:
(1) a method to track key information for each asset, including, as applicable, the following: (i) owner; (ii) location; (iii) classification or sensitivity; (iv) support expiration date; and (v) recovery time requirements. 12 (2) the frequency required to update and validate the covered entity’s asset inventory.”
Via our cybersecurity asset management and SaaS Management products, Axonius can quickly provide a “complete, accurate and documented asset inventory.”
But it’s more than just an accounting of assets. Due to our extensive integration model (a.k.a., more than 600 adapters), alongside the native capabilities for aggregation, normalization, and deduplication, Axonius provides very specific, correlated details for each asset.
Further, the Axonius easy-to-use Query Wizard gives our customers a view into vulnerabilities affecting assets, historical/timeline data for each asset, and a way to easily manage vulnerabilities, either through Axonius directly or through the integrated technologies that constitute our adapter network.
Cybersecurity asset management is just part of a larger picture, one that is cyber asset attack surface management, or CAASM for short. CAASM, for its part, rolls up into continuous threat exposure management (CTEM), a term becoming increasingly important for organizations that want to holistically address the cyber risks targeted at their technology landscapes.
Why is this important? It’s important because asset management is not simply a practice to count all the things — all the hardware, software, users, cloud environments, SaaS applications, CVEs, configurations, policies, patches, etc. — in a digital ecosystem. Instead, asset management serves the purpose of allowing organizations to:
For financial entities subject to the NYDFS Cybersecurity Regulation, the proposed amendments put a clear focus on understanding and controlling assets — not just finding them. And though increased mandatory controls and practices will get organizations much of the way there, the larger picture must be on how devices, users/identities, access controls, SaaS apps, cloud instances, data repositories, vulnerabilities, and more all relate to other assets in the organization’s infrastructure.
Without clear, comprehensive asset management — a capability that aggregates and correlates data from all deployed technology in an organization’s ecosystem and provides a single view of the environment’s security state — companies cannot expect to manage their attack surface or threat exposure. That’s where Axonius can help.
"Culture is the foundation for any high-performing team. We all process information differently, we listen differently. We come from different backgrounds and experiences. No matter who you are, I want to know that. I want to understand what makes you you and treat you the way you want to be treated, not how I project myself onto you.”
— Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA)
“[Create an environment] where people can understand when they can take time off and not feel like everything is going to fall apart. [Where] they have a plan for their career and how they’re going to grow. [Where] they have time to be with their friends and family enough not to be burned out."
— Deidre Diamond, founder and CEO of CyberSN and Security Diversity
“Actively invite engagement, listen with purpose, and look for signs of burnout. You can't expect everyone to feel equally comfortable expressing an opinion, and so it's important to solicit feedback at times as opposed to always passively expecting it. When you are getting engagement, listen with purpose. Make an effort to not only hear what's being said, but understand and empathize. Lastly, look for signs of burnout. … If you're noticing signs of burnout on the team, look for ways to intervene, like ensuring adequate team resourcing/load balancing to create a healthy work/life balance for everyone, and that team members are able to take PTO."
— Daniel Trauner, senior director of security, Axonius
“We need an environment where failure is not only tolerated, but an understood aspect of innovation. Our attackers are failing forward every single day, [and] we deserve the ability to do the same if we are going to protect our people, data, and organizations.”
— Chris Cochran, co-founder at Hacker Valley Media and creative director at Axonius
41 Madison Avenue, 37th Floor
New York, NY 10010