Benchmark: NYDFS 23
Overview
Around the world, financial institutions (FIs) use Amazon Web Services (AWS) to modernize and automate their core applications, including mobile applications, regulatory reporting, and market analysis. Through continuous innovation, AWS makes strong security available to FIs globally, along with a deep set of services and features, industry expertise, and the AWS Partner Network. AWS empowers FIs to modernize their technology infrastructure, meet rapidly changing customer behaviors and expectations, and drive business growth. AWS offers IT services in categories from compute, storage, database, and networking to artificial intelligence and machine learning.
Effective March 1, 2017, the New York State Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation with cybersecurity requirements for financial services companies (Cybersecurity Regulation or Part 500). The entities required to comply with the Cybersecurity Regulation include, but are not limited to, partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law (Covered Entities).
This guide is a resource to help Covered Entities understand technical and operational requirements for the use of AWS services. This guide includes a description of the tools and security features offered by AWS that Covered Entities can use to assist them with compliance with requirements in the Second Amendment to NYDFS Cybersecurity Regulation Part 500 of Title 23 (NYDFS Cybersecurity Regulation).
This guide does not undertake a full analysis of the NYDFS Cybersecurity Regulation. The sections in the following list provide information on AWS services, features, and resources that can help Covered Entities support their regulatory objectives under the NYDFS Cybersecurity Regulation.
Security and shared responsibility: It is important that Covered Entities understand the AWS Shared Responsibility Model before evaluating the specific technical and operational requirements outlined in the NYDFS Cybersecurity Regulation. The AWS Shared Responsibility Model is fundamental to understanding the respective roles of the Covered Entity and AWS with respect to security and information access.
AWS Compliance Programs: AWS has obtained certifications and third-party attestations for a variety of industry-specific and general workloads. AWS has also developed Compliance Programs to make these resources available to customers. Customers can take advantage of AWS Compliance Programs to help satisfy their regulatory objectives.
AWS Global Cloud Infrastructure: The AWS Global Cloud Infrastructure comprises AWS Regions and Availability Zones. The AWS Global Cloud Infrastructure offers AWS customers a way to design and operate applications and databases, making them more available, fault tolerant, and scalable than traditional on-premises environments. AWS customers can use the AWS Global Cloud Infrastructure to help them design an AWS environment consistent with their business and regulatory objectives.
Appendix: Considerations on the Second Amendment to NYDFS Cybersecurity Regulation Describes considerations for Covered Entities that use AWS and describes how Covered Entities can use AWS services and tools to support their regulatory objectives under the NYDFS Cybersecurity Regulation.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select NYDFS 23.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.nydfs_23
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.nydfs_23 --share
Benchmarks
- 500.02 Cybersecurity Program
- 500.06 Audit Trail
- 500.07 Access Privileges and Management
- 500.08 Application Security
- 500.12 Multi-factor Authentication
- 500.14 Monitoring and Training
- 500.15 Encryption of Nonpublic Information