Zofia Buzz

New York's Credit Reporting Agencies (CRA) Must Comply with New Cyber Mandate


On June 25, 2018, any credit reporting agency (CRA) with “significant operations” in New York must register with the New York Department of Financial Services (NYDFS) and comply with the NYDFS cyber regulations under Part 500.CRAs must register by September 15, 2018. Also, in addition to registering, CRAs must begin complying with New York’s cyber regulations as early as November 1, 2018. There are multiple deadlines over the next year for CRA Compliance.

Here are some highlights:

  • By November 1, covered CRAs must have appointed a chief information security officer (CISO) and have implemented a written cybersecurity program, including an incident response plan, that are designed to safeguard the confidentiality, integrity and availability of the organization’s information systems.

  • CRA must base its cybersecurity program upon a conducted risk assessment, and it must have designed the program to enable the CRA to identify, detect, respond to and recover from a reportable “cybersecurity event.”

  • CRAs have a maximum of 72 hours to report a “cybersecurity event” to the NYDFS making the reporting requirements more consistent with Federal guidelines for government agencies.

  • A member of the board of directors, or a senior officer, of each CRA must certify annually to the NYDFS the agency’s compliance with the regulations. The first certification is due on February 15, 2019.

  • Under this regulation, NYDFS has the authority to deny, suspend, or revoke a CRA’s license and ability to conduct business in New York if the agency fails to comply with the NYDFS’s cyber regulations, including a failure to certify annually its compliance.

Zofia Consultants are experts in full-time CISO activities and Enterprise Security Risk Management.

Not every organization has the need or resources for full-time, all the time, cybersecurity support. Having “Virtual CISO” ™ expertise available part-time and virtually on-demand is a service more and more of our clients are asking for, particularly those needing to demonstrate compliance with State and Federal laws.

Zofia Consulting assists our clients through the complex cybersecurity maze and provides the necessary leadership and learning opportunities for ongoing protection, compliance, and mission success.

Learn more here: https://www.zofiaconsulting.com/virtual-ciso


Defense Security Service to Tackle DOD CUI Program

In a recent public meeting, Defense Security Service (DSS) confirmed they will not only be taking over the majority of government background investigations, they will also be taking the DoD CUI program. Public details are still forthcoming, but we presume the audit process will get started over the next year or two and be similar to their existing audit and risk management review process. The overall goal is to ensure all products and services delivered to the USG are “uncompromised.” #DeliverUncompromised

There will also be a push from DoD, stated the Director DSS, for a “4th pillar” of evaluation for contract awards. This means that in addition to cost, performance and schedule – “Security” will become a strong factor of evaluation. The goal is to reward companies that have established and effective security and risk management programs. The Director also stated that there will be heavier penalties exacted for contractor failures to maintain security compliance and oversight on their systems during the contract periods.

An initial self-assessment for CUI compliance is the first of many steps in a thorough risk management program that we presume DSS will audit, and is only one component of the overall information security picture. Any assessment should be complemented with a robust information security program within the organization. A single report cannot reveal all types of security weaknesses, and should not be the sole means of determining an organization’s security posture.

An initial assessment may not provide a detailed architectural analysis of the network or a detailed network hardware/software configuration review. An initial self-assessment is not substitute for in-depth analysis of control system vulnerabilities as performed by trained professionals.

Periodic onsite reviews and inspections must still be conducted using a holistic approach including facility walk downs, interviews, and observation and examination of facility practices. Consideration should also be given to additional steps including scanning, penetration testing, and exercises on surrogate, training, or non-production systems, or systems where failures, unexpected faults, or other unexpected results will not compromise production or safety.

Dangers of DIY: http://www.dodig.mil/reports.html/Article/1481961/logical-and-physical-access-controls-at-missile-defense-agency-contractor-locat/






Cybersecurity is NOT just a technology problem. The majority of cyber incidents are caused by human action or inaction with the result becoming a risk to business operations and perhaps a risk to the survival of a business. Affected parties include shareholders, stakeholders, customers, executives, and employees of the business.



As Spring turns to Summer and the cyber threats heat up just like the weather. It’s time to give your Incident Response (IR) playbook a checkup – same as your A/C system.

Here are the areas to do a quick check in your IR Playbook.