(a) Multi-Factor Authentication. Based on its Risk Assessment, each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems.

Access Authentication CISO Control Controls Entity Factor Shall

(b) Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.

Section 500.00Introduction.

Section 500.01Definitions.

Section 500.02Cybersecurity Program.

Section 500.03Cybersecurity Policy.

Section 500.04Chief Information Security Officer.

Section 500.05Penetration Testing and Vulnerability Assessments.

Section 500.06Audit Trail.

Section 500.07Access Privileges.

Section 500.08Application Security.

Section 500.09Risk Assessment.

Section 500.10Cybersecurity Personnel and Intelligence.

Section 500.11Third Party Service Provider Security Policy.

Section 500.12Multi-Factor Authentication.

Section 500.13Limitations on Data Retention.

Section 500.14Training and Monitoring.

Section 500.15Encryption of Nonpublic Information.

Section 500.16Incident Response Plan.

Section 500.17Notices to Superintendent.

Section 500.18Confidentiality.

Section 500.19Exemptions.

Section 500.20Enforcement.

Section 500.21Effective Date.

Section 500.22Transitional Periods.

Section 500.23Severability.

Section 500.12

Multi-Factor Authentication.

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Key Capabilities

Section 500.12

Multi-Factor Authentication.