N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.13 - Asset management and data retention requirements
(a) As part of its cybersecurity program,
each covered entity shall implement written policies and procedures designed to
produce and maintain a complete, accurate and documented asset inventory of the
covered entity's information systems. The asset inventory shall be maintained
in accordance with written policies and procedures. At a minimum, such policies
and procedures shall include:
(1) a method to
track key information for each asset, including, as applicable, the following:
(i) owner;
(ii) location;
(iii) classification or
sensitivity;
(iv) support
expiration date; and
(v) recovery
time objectives; and
(2)
the frequency required to update and validate the covered entity's asset
inventory.
(b) As part
of its cybersecurity program, each covered entity shall include policies and
procedures for the secure disposal on a periodic basis of any nonpublic
information identified in section
500.1 (k) (2)-(3)
of this Part that is no longer necessary for business operations or for other
legitimate business purposes of the covered entity, except where such
information is otherwise required to be retained by law or regulation, or where
targeted disposal is not reasonably feasible due to the manner in which the
information is maintained.
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.