Minimum Cybersecurity Standards
Identity / Access Provisions
Multi-Factor Authentication: Remote access to the network requires devices to utilize multi-factor authentication.
- Requirement: Remote access at AP (and in branches) will require MFA. This happens via Juniper for home office for remote access. Note: Only 1-2 advisors remotely access AP’s internal network.
- Advisors or staff accessing their own / local networks remotely, our standard (i.e. requirement) is that they use MFA.
Passwords (Standard): Temporary passwords must always be changed. Each person accessing the AP networks / devices must have their own unique user ID and password. Passwords used to access the AP networks / devices must be strong passwords. Specifically,
- Passwords must not contain the UserID.
- Passwords must be at least eight (8) characters long.
- Passwords must be case sensitive (i.e., uppercase/lowercase letters are separate and distinct).
- Passwords must contain characters from at least two of the following four sets:
- uppercase letters (‘A’ through ‘Z’).
- lowercase letters (‘a’ through ‘z’).
- numerals (‘0’ through ‘9’).
- punctuation characters (‘.’, ‘!’. ‘#’, ‘?’, ‘>’, ‘+’, etc.).
- Systems and applications must require the user to change their password a minimum of every 90 days or force users to re-authenticate / revalidate their security challenge questions or image minimum of every 90 days.
Mobile Devices should adhere to the following password guidelines – Standard:
- Password length = 4-character minimum
- Password Complexity = Minimum of 1 alpha and 1 numeric character.
- For iPads and iPhones = Characters Passcode (Simple passcode OFF – i.e. it is set), and/or optional
- Apple Touch ID fingerprint enrollment where available.
- Email is accessible via a smart phone and will enforce the above.
Lock Screens: Systems should be configured to lock, and require re-login after a period of 15 minutes of inactivity.
Operating Systems (OS)
Desktops/Laptops: Computers should be within full/extended support period from OS Vendor
Current Microsoft Desktop OS’s: Windows 7, Windows 8, Windows 8.1, Windows 10 (x86, 32-bit and 64-bit).
Current Apple Desktop OS’s: Mac OS X 10.8 (Mountain Lion), Mac OS X 10.9 (Mavericks), Mac OS X 10.10 (Yosemite), Mac OS X 10.11 (El Capitan)
Mobile Devices:
IOS (9 or later)
Android (4 or later)
Servers: Servers should be within full/extended support period from OS Vendor
Current Microsoft Server OS’s: Windows Server 2008, Windows SBS 2008, Windows SBS 2011, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
Systems that do not meet the above operating system requirements must be upgraded immediately to a supported operating system, or their use immediately discontinued.
Hardware
CPU: 1.5 GHz x86 (64 bit preferred)
RAM: 4 GB (minimum); 8 GB preferred
Available Hard Disk Space: 250 MB
Operating System Updates/Patches
Desktops/Laptops: Operating systems, browsers and applications must be configured to automatically check for, download, and install security updates when available and be on vendor supported versions of the software. For systems that are not monitored/maintained by an in-house or third party IT department, automatic updates must be enabled. Computer systems such as laptops and desktop computers must have a software firewall enabled to block all traffic to the system that is not required to perform and use business software.
Servers: Patches must be applied and the system rebooted at least monthly. Must be configured in accordance with documented standards / procedures that are based on a generally accepted and authoritative source of security configuration information (e.g., Microsoft). Server configurations must be examined periodically to ensure that they continue to meet their documented configuration standards. Servers must have disk-level encryption. Systems must be patched regularly with the latest security updates. For systems that are not monitored/maintained by an in-house or third party IT department, automatic updates must be enabled.
System Protection Software
Anti-Virus / Anti-Malware: Anti-virus and anti-malware software must be installed and be operationally enabled as part of each computer’s start-up process. (e.g., servers, desktops, laptops, etc.) and configured, at a minimum to:
- Prevent and/or block viruses and other malicious programs (e.g., malware) from infecting the computer system; and
- Automatically check for, download and install updates.
Encryption
Requirement – Devices connected to the Network and storing Protected Data must employ full disk encryption.
Device: Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Approved full disk encryption vendors should be installed on all endpoint devices.
ESSENTIAL TECHNICAL CONTROLS SUMMARIZED
# | Essential Technical Control / Enforced (1) |
Automated Critical Asset Inventory Auditing / Cyber Monitoring(2) | |
Devices / Operating Systems (OS) in Compliance with Minimum Standards(3) | |
Full Disk Encryption (FDE) on All Devices Storing / Access Protected Data(4) | |
Anti-Virus / Anti-Malware w/ Automated Patching and Updates | |
Secure Messaging / Email Encryption and Email Pre-Filtering to Mitigate Introduction of Malware to Users / Devices | |
Encrypted Full Image Backups(5) | |
Multi-Factor Authentication (MFA)(6) | |
Penetration Testing(7) | |
Vulnerability Scanning(8) |
ESSENTIAL TECHNICAL CONTROLS DEFINITIONS
* | Item | Definition |
(1) | Control Enforced | Out of Compliance Users / Devices Electronically Remediated (e.g. if a device is not encrypted, tools encrypt the device or disables the users access to the network). |
(2) | Cyber Monitoring of Essential Controls | Cyber Monitoring Exits to Evidence Control Status (i.e. to communicate whether or not a device is encrypted) |
(3) | Minimum Standards Set / Adherence Measured Electronically | The organization has defined minimum cybersecurity standards and electronically manages compliance / enforcement. |
(4) | Full Disk Encryption (FDE) | Full disk encryption prevents unauthorized access to data storage and is a requirement of the NY-DFS. |
(5) | Encrypted Full Image Backups | An Encrypted, Full Image Backup creates a copy of the operating system (OS) and all the data associated with it, including the system state and application configurations. The backup is saved as a single file that is called an image. It can be particularly helpful when recovering from some types of cyber-attacks (e.g. Ransomware). |
(6) | Multi-Factor Authentication (MFA) | Multi-Factor Authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are). |
(7) | Penetration Testing | A Penetration Test (Pen Test) is an authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system’s features and data. Pen Tests are more involved than a vulnerability scan and almost always involve a human using tools to make multiple attempts to “ethically hack” your cybersecurity controls and processes. Many in our industry misstate Vulnerability Assessments as Penetration Tests. |
(8) | Vulnerability Assessment / Scanning | A Vulnerability Assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. As it relates to cybersecurity, the vendor domains / networks / devices are scanned to identify things such as out-of-date software patches, missing or old versions of anti-virus / anti-malware software, weak vs. strong passwords, and other basic weaknesses that could make your environment more vulnerable to a hack. Vulnerability assessments are primarily an automated, systematic scan of your environment. The NY-DFS suggest vulnerability scanning be done at least twice per year. |
