audit trail must record and respond to security incidents and be maintained for five years.
3 Limits on data retention must be set in place to ensure that data is disposed of properly when no longer needed.
4 Access Privileges must be implemented and limited to protected data, and access records must be periodically reviewed.
5 An Incident Response plan must be published to ensure that cybersecurity events are clearly communicated, roles and responsibilities are clear, and remediation takes place.
6 Notices to the superintendent (the superintendent is the organization that oversees the regulation) must be provided within 72 hours after a “material” cybersecurity event is detected.
NYDFS is similar to the General Data Protection Regulation (GDPR) and the California Privacy Protection, which have outsized power due to their economic size. Much of the world's finance flows through New York, and so many world finance companies are subjected to this framework. More importantly for this book, the NYDFS has a part that requires covered entities (i.e., those subject to the regulation) to perform due diligence on their third parties at regular intervals.
The Federal Information Systems Management Act (FISMA) is a framework for federal agencies. This standard defines a set of security requirements that the agencies use to improve their cybersecurity. The benchmark requires that third parties to an agency conform to their information security requirements. It contains nine steps for securing government data, operations, and assets:
1 Defining the information categories for security levels
2 Understanding the minimum security controls for protecting data
3 Refining controls through risk assessments
4 Documenting controls and developing security plans
5 Implementing the required security controls
6 Evaluating the effectiveness of implemented controls
7 Establishing security risks for federal resources and data
8 Authorizing the use of secure information systems
9 Continuously monitoring the implemented controls
Several other frameworks are worth describing in high‐level detail. The Australian Signals Directorate (ASD) Essential 8 contains controls and strategies that are a part of the ASD Strategies to Mitigate Cyber Security Incidents. Based upon experience of the Australian government, these controls are considered by them to be the cybersecurity baseline in that country. If implemented correctly, the country reports it can mitigate up to 85 percent of most common cyberattacks.
The Control Objectives for Information and Related Technology (COBIT) framework is a high‐level framework for identifying and mitigating risk. COBIT is primarily used in the finance space to adhere to Sarbanes‐Oxley (SOX). SOX is also known as the Public Company Accounting Reform and Investor Protection Act. Developed by information technology (IT) governance professionals to lower risk, it has evolved to align to business goals.
The Ten Steps to Cybersecurity framework is an initiative of the United Kingdom's Department of Business to provide senior leaders with a cybersecurity overview. This framework acknowledges the urgency of giving executives knowledge about information security issues and risks that impact businesses, along with controls to mitigate them. It provides in business English (i.e., non‐technical, non‐jargon) an explanation in wider terms of the numerous cybersecurity risks, defenses, mitigations, and resolutions.
The Technical Committee on Cyber Security (TC CYBER) framework was developed to improve the telecommunication security in the European Union (EU). It contains a series of requirements for improving privacy for companies and individuals. The focus is to confirm that EU residents and citizens have a high level of privacy protection when communicating on all the various mediums in the zone. Although it's focused on the EU, it has been adopted by other countries worldwide.
These cybersecurity frameworks are important in third‐party risk due diligence work. When engaging with vendors about security due diligence, one of the first questions to ask is what cybersecurity framework they adhere to. Their answer will provide valuable information about how their organization performs its own security activities. Many of the frameworks or standards have similar themes and controls because cybersecurity does not vary industry to industry. However, what is often different is its focus or scope. Understanding which industry a vendor is in or the one you are subject to, can establish which framework is best used or a required fit.
Due Care and Due Diligence
Two of the concepts discussed often in this book, as well as in cybersecurity and third‐party risk, is due care and due diligence. Due care is using a reasonable effort to protect the interests of a company. For due care with vendors, it is ensuring they develop and formalize security policies, standards, baselines, and procedures to ensure the security of their environment. Due diligence is performing a reasonable exam and investigation before taking action. The opposite of due diligence is the ad‐hoc process. An ad‐hoc process is one that is not predefined but is essentially done without guidance. In this book, performing due diligence refers to the efforts of researching the risks of third parties. Due diligence is performing the necessary research to understand risk, while due care is performing the actions identified as needed from due diligence.
Internal Security Standards versus External Security Standards
We delve into the policies and legal documentation pertaining to cybersecurity and third‐party risk in later chapters. However, it is worth noting a problem often misunderstood: Why are standards or policies for vendors often more strict than internal corporate standards? Many complain that it doesn't seem fair or is a case of “do as I say, not as I do,” or worse, that it is being hypocritical.
The answer is explained in this analogy: Say you have a hard drive in your house that contains sensitive data, which is likely a 100‐percent accurate statement as nearly every reader of this book surely has a home computer containing sensitive data. This sensitive data, such as electronic bank statements or downloaded documents, is known as PII. Do you specifically lock that up when you leave your home? Not likely; you likely lock your door and turn on your security alarm, which is secure enough.
Let's say you'll be on a vacation while your house is going through a major renovation and while that is going on, you don't want to leave your computer where contractors have access (which is good vendor risk management, by the way). Your trusted neighbor offers to store it in his home while you are away. (He is your neighbor and friend but not family.) Before he receives the computer, you decide to encrypt the hard drive, install a basic input/output system (BIOS) password (i.e., what a user will see when the computer is first starting up), as well as ensure that your Windows account password is complex. (Please stop using your dog's name plus your birth year!) Again, you feel you're taking the proper due care to secure your data before it's given to a third party.
As you drop off your laptop at your neighbors' house, you ask where he plans on storing it. Surprised, because he had not thought about it, your neighbor casually replies, “Over there on that shelf.” This idea makes you uncomfortable for two reasons: First, he does not seem to appreciate how much you value this data. Second, storing it on an open shelf, where people you do not know can walk by and view it, leads me back to the problem with the strangers (i.e., the contractors) in your home. You then bribe him with a promise to bring him back a nice bottle of rum from your trip, in exchange for him storing it in his safe.
In your own home, you did not encrypt the data (not recommending this, just making a point) or have the best access rights administration. In addition, your data never was locked up when it was in your home. When you decided to move the data outside of your area of control, not only did you increase the security on it, but you required your neighbor to place it in a safe. He probably thinks you are ungrateful and demanding, but the thought