E6：弹性、可恢复性、法规...检查审计中的所有框.pdf

1、Resiliency,Recoverability,Regulations Checking All the Boxes in an AuditMay 6-8,2024|Charlotte,NCCliff Magee and Bill Krohe,State Farm Insurance Companies DisclaimerDisclaimer The focus of this session is on resiliency and how backup and recovery are integral parts to a holistic cyber security progr

2、am We are only referencing some aspects of 23 NYCRR 500 2023 updates Cliff Magee and Bill Krohe are not attorneys.This is not or intended to imply legal advice and should not be considered as such.We are technical folks who are also trying to deliver solutions to comply.“But Im Not a 23 NYCRR 500 20

3、23 Covered Entity”But Im Not a 23 NYCRR 500 2023 Covered Entity”Due Diligence Industry Best Practices Legislative Activity Cyber Attacks are increasing Change Healthcares 2024 ransomware attack costs reach nearly$1B https:/ Defensible DefinitionsIntentional Defensible Definitions Off-site-500.16(a)(

4、2)-“storing such information off-site”Essential-500.16(a)(2)-“information essential to the operations”Material-500.16(a)(2)-“entitys information systems and material services”Protected-500.16(e)-“adequately protected from unauthorized alterations or destruction”Timely Recovery-500.16(a)(2)(iv)-“proc

5、edures for the timely recovery“Annually Test Restoration-500.16(d)-“at a minimum annually,test”(2)-“ability to restore its critical data and information systems from backups.”https:/www.dfs.ny.gov/industry_guidance/cybersecurityRaising the Bar on AccountabilityRaising the Bar on Accountability23 NYC

6、RR 500:500.4,500.5,500.16,500.17,500.20 Net New Requirement Highest Level Executive Officer validating the Certification CISO responsible for validating Recovery from BackupTolerable Harm/Acceptable RiskTolerable Harm/Acceptable Risk Regulatory Compliance Data Loss Downtime Reputation Damage Financi