icon

All Articles

11/10/2021 Compliance

NYS Department of Financial Services – Serious MFA Requirements

One regulation we help clients with is the New York State DFS 23 NYCRR Part 500 compliance.
 
Who does DFS regulate?

According to its website: “DFS is the primary regulator for all state-licensed and state-chartered banks, credit unions, and mortgage bankers and brokers. All mortgage loan servicers doing business in New York State must be registered or licensed by DFS. The Department also oversees all of the insurance companies operating in New York, licenses all of the budget planners, finance agencies, check cashers, money transmitters, and virtual currency businesses operating in New York.”
 
The requirements of part 500 are generally nothing out of the ordinary, or rather, nothing more than what is already considered good practice in the cybersecurity world.

 

11/6/2021 Compliance

Michael Petrov provided his recommendation for risk assessment methodology – CIS RAM 2.0

POSITION ON RISK

  1. Initial risk is 100% (99.9%). I argue, if you deploy a system without any controls and connect it to the internet, it will be hacked multiple times in a year.
  2. Risk = 100% - control mitigation + destabilizing events (zero days, new vulnerabilities).
  3. We may calculate control mitigation but cannot predict those destabilizing events, and this is the nature of the business, and this is why we cannot precisely measure risks. So we don't have to; we can just assess.
  4. Mitigation is NOT lowering the impact but lowering LIKELIHOOD. When there is a cybersecurity breach, it is easier to predict maximum impact, which depends on the time of detection (controls - destabilizing). I would argue that within some short time, the impact could be the cost of the business. 
  5. My biggest problem with current frameworks is that they all concentrate on initial assessment, not the continuous process.
  6. Risk has to be re-assessed yearly, and the methodology is more important for re-assessment compared to the initial assessment.
  7. Incidents should be used to adjust risks as it is real-life data for statistical analysis for the given client. Incidents should be used to re-assess likelihood, and each incident must be bound to a risk and effect KPI.
  8. Methodology should suggest KPI assignment. 

This is the big picture. All I see today is ISO-like risks analyses that are initially made based on industrial risks. The mentality should be changed, and I don't know if it is too big of a shift from the current approach.

11/4/2021 Edgy News

New York’s Best: Digital Edge Ventures Win Clutch Award for Best Cloud Consulting Services

10/26/2021 Webinar

Digital Edge's webinar with Sophos and AWS

10/14/2021 Edgy News

Interview with Michael Petrov by SafetyDetectives

Michael Petrov shares some information about Digital Edge and offers insights into current cybersecurity threats.

10/8/2021 Presentations

Digital Edge: AWS Presentation

Modern Solutions for Infrastructures in AWS: Zero Trust, Code Based Cybersecurity, and Certification in The Cloud

10/8/2021 Edgy News

AWS Well-Architected Solution Brief

10/1/2021 Compliance

OFAC Ransomware Advisory

9/29/2021 Edgy News

Digital Edge in The 'Top 10 Cybersecurity Solution Providers'

9/24/2021 Edgy News

Digital Edge is an AWS Advanced Consulting Partner

Let's talk: +1 (718)-370-3353

Speak to a specialist