• Home
  • New York NYDFS
  • Section 500.05 - Penetration Testing and Vulnerability Assessments.

Section 500.05

Penetration Testing and Vulnerability Assessments.

Conduct Cybersecurity Entity Monitor Monitoring Penetration Testing Risk Risk assessment Security Security Shall Vulnerabilities
The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic Penetration Testing and vulnerability assessments. Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities, Covered Entities shall conduct:
Entity Penetration Testing Risk Risk assessment
(a) annual Penetration Testing of the Covered Entity’s Information Systems determined each given year based on relevant identified risks in accordance with the Risk Assessment; and
Cybersecurity Entity Public Publicly Risk Risk assessment Scans Security Security Systematic Vulnerabilities
(b) bi-annual vulnerability assessments, including any systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the Covered Entity’s Information Systems based on the Risk Assessment.