Title 23 NYCRR Part 500 Data Compliance with Streamdal

We're updating our documentation, so the presented info might not be the most recent.
Beta

The data compliance features of Streamdal are currently in beta, and being tested with a select group of contributors, companies, and design partners. If you would like to participate in the beta, please reach out to us.

In 2017, facing growing cybersecurity threats, New York’s Department of Financial Services introduced Title 23 NYCRR 500: Cybersecurity Requirements for Financial Services Companies (NYCRR-500). This regulation targets financial entities operating in the state, ensuring the protection of customer data and IT systems of institutions like state-chartered banks, mortgage brokers, and insurers.

Streamdal will strengthen compliance with this regulation, and enable anyone to enforce data policies on real-time data.

Streamdal’s Approach

You can leverage Streamdal for:

Protecting Data: You can establish specific rules and pipelines for data that obfuscate or redact PII, and check for plaintext passwords or other sensitive information. Data that is past its retention period can be blocked from accidentally being introduced or reintroduced into critical environments.

Enforcing Data Policies: From the Console UI, you can create rules that data must pass in order to continue flowing through your systems. You can tap into real-time data with Tail to follow the flow of data through your system and ensure compliance.

Continuous Monitoring: The SDK can also notify you on anomalous data activity, such as unexpected increases or decreases in flow, or a sudden influx of violations.

The observability the Data Graph and Tail provide can also help security and operational teams understand how code handles data in real time. This drives better communication with data handling processes and faster response to threats in real time.

Coming Soon: A visual guide on setting up NYCRR-500-specific rules in the Console UI.

Regulatory Insights

We wanted to make researching the relevant data regulations easier and give a better idea of where Streamdal could be the most impactful for your organization. In most cases, the combination of the observability and data governance capabilities will ensure successful compliance.

While more sections could be applicable, below are two taken from the Title 23 NYCRR Part 5001 along with how Streamdal can help with data compliance:

§ SectionsHow Streamdal helps comply
§ 500.3 Cybersecurity PolicyThe Streamdal SDK can ensure that data in motion complies with your organization’s data security policies by filtering, alerting, or rejecting data based on content rules. For example, you can implement rules to alert on and reject data that contain plaintext passwords or other sensitive information, and monitor for potential violation.
§ 500.13 Limitations on Data RetentionStreamdal can assist with limitations on data retention through the creation of rules in the Console UI. You can get notified when producers and consumers are handling PI that is past its retention period (time fields), or completely block non-compliant data from being reintroduced into critical environments.

Rules can also be set up to strip, restrict, obfuscate, and mask data helping enforce data policies around retention.
Information

Did you know:

The NY DFS (Department of Financial Services) states that “non-continuous monitoring of Information Systems, such as through periodic manual review of logs and firewall configurations, would not be considered to constitute “effective continuous monitoring” for purposes of 23 NYCRR 500.051.”


Footnotes

  1. New York State Department of Financial Services. (2017). Title 23 NYCRR Part 500: Cybersecurity Requirements for Financial Services Companies [§ 500.3 Cybersecurity Policy; § 500.13 Limitations on Data Retention]. https://www.dfs.ny.gov/system/files/documents/2023/03/23NYCRR500_0.pdf ↩ ↩2