N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.5 - Vulnerability management
Each covered entity shall, in accordance with its risk assessment, develop and implement written policies and procedures for vulnerability management that are designed to assess and maintain the effectiveness of its cybersecurity program. These policies and procedures shall be designed to ensure that covered entities:
(a) conduct, at a minimum:
(1) penetration testing of their information
systems from both inside and outside the information systems' boundaries by a
qualified internal or external party at least annually; and
(2) automated scans of information systems,
and a manual review of systems not covered by such scans, for the purpose of
discovering, analyzing and reporting vulnerabilities at a frequency determined
by the risk assessment, and promptly after any material system
changes;
(b) are
promptly informed of new security vulnerabilities by having a monitoring
process in place; and
(c) timely
remediate vulnerabilities, giving priority to vulnerabilities based on the risk
they pose to the covered entity.
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.