N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.14 - Monitoring and training
(a) As
part of its cybersecurity program, each covered entity shall:
(1) implement risk-based policies, procedures
and controls designed to monitor the activity of authorized users and detect
unauthorized access or use of, or tampering with, nonpublic information by such
authorized users;
(2) implement
risk-based controls designed to protect against malicious code, including those
that monitor and filter web traffic and electronic mail to block malicious
content; and
(3) provide periodic,
but at a minimum annual, cybersecurity awareness training that includes social
engineering for all personnel that is updated to reflect risks identified by
the covered entity in its risk assessment .
(b) Each class A company shall implement,
unless the CISO has approved in writing the use of reasonably equivalent or
more secure compensating controls:
(1) an
endpoint detection and response solution to monitor anomalous activity,
including but not limited to lateral movement; and
(2) a solution that centralizes logging and
security event alerting.
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.