N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.12 - Multi-Factor Authentication
(a)
Multi-factor authentication shall be utilized for any individual accessing any
information systems of a covered entity, unless the covered entity qualifies
for a limited exemption pursuant to section
500.19(a) of this
Part in which case multi-factor authentication shall be utilized for:
(1) remote access to the covered entity's
information systems;
(2) remote
access to third-party applications, including but not limited to those that are
cloud based, from which nonpublic information is accessible; and
(3) all privileged accounts other than
service accounts that prohibit interactive login.
(b) If the covered entity has a CISO, the
CISO may approve in writing the use of reasonably equivalent or more secure
compensating controls. Such controls shall be reviewed periodically, but at a
minimum annually.
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.