Greetings and welcome back! Beginning this week, we are going to dovetail our discussions of the Federal Gramm Leach Bliley Act (GLBA) for financial services companies together with the New York Cybersecurity Regulations for Financial Services Companies. Because New York is the home to many of the country’s financial services companies, it seems natural to address both the Federal Standards of GLBA with the State Standards for financial companies in one logical set of blogs. So today, we begin this series by looking at Server & Telecom Racks and New York Cybersecurity Law.
The timing of beginning our discussion is centered around the enforcement of the New York Regulations, which began last week on August 27th. The NY Cybersecurity regs are an extremely comprehensive set of requirements that cover all in-state and international operations for a financial entity of over $5 million in revenue. While not having the power to regulate operations in other states, the Department of Financial Services (DFS) in New York makes it clear that any branch office in another state that impacts the operations of a New York office will be dealt with accordingly. This is a polite way of saying that if security is truly needed in New York then it only makes sense to follow the same procedures for all locations, regardless of location.
To begin with, let’s talk about what the NY Regulations cover. Specifically, the regulations require securing 6 different types of systems from affecting information stored by a covered entity in 3 different ways. The 6 types of systems that must be protected are as follows:
500.01 (e) Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.
The 3 types of coverage for the information that these systems support are as follows:
500.02 (a) Cybersecurity Program. Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.
When we combine these regulations, we see that the integrity and availability of IT and Telecom systems must be protected by actively securing and monitoring backup power, cooling and physical security systems. Any interruption in power or cooling to an IT or Telecom system can corrupt or destroy the data that is to be protected. This means that the following systems must be protected in order to be in compliance with the law:
- Uninterruptible Power Supply (UPS) and Power Distribution Units (PDU)
- Cooling Systems for the Data, Network or Telecom Racks
- Physical Access Systems
These regulations make it clear that your racks of servers and telecom systems together with their UPS, PDU, Cooling and Physical Access systems must be secured and monitored. While protecting these types of systems in a large data center can be done in a more centralized fashion, the ability to protect distributed racks and support systems is a much more difficult task. These racks are found in places like:
- Network Rooms and Closets including all IDF and MDF Rooms
- Telecom Rooms and Closets including PBX and Telecom Switch Rooms
- Small Server Rooms
Virtually all the systems in these server, network, telecom, power and cooling systems found in these rooms are rack-mounted systems. Because of this, the security regulations require a rack-based system that is able to both secure and monitor all of these systems. We designed RackGuardian do be a fully-enabled Smart Firewall unit that both provides integrated firewall security and analytic monitoring for any server, telecom system, UPS, PDU and cooling unit.
In coming blogs, we will discuss the specific ways in which UPS and PDU units have already been used to attack information systems. We will also address attacks on telephone switching and PBX systems and how they have had disastrous effects on their owners. In addition, we will take a look at how the GLBA regulations integrate with the New York State regulations and how complementary they are to one another.
If you would like to have a confidential discussion on protecting your server and telecom racks from cyber, physical and operational attacks, we would be happy to work with you to provide the protection and compliance you need for your company.
Until Next Time,