<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Search
Close icon
Search bar icon
Search
Close icon
Search bar icon
Blog / Access

How to Meet NYDFS Section 500.7 Amendment Requirements

Michaline Todd
by
Chief Marketing Officer (CMO)
StrongDM
3 min read
Last updated on: September 6, 2024
Get the PAM PDF eBook PDF Get the PAM PDF eBook
Found in: Access Privileged Access Management
StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen
Get a demo
How to Meet NYDFS Section 500.7 Amendment Requirements

The New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation is a set of comprehensive cybersecurity requirements that apply to financial institutions operating in New York. The goal of the regulation is to ensure that the cybersecurity programs of financial institutions have robust safeguards in place to protect customer data and the financial sector. 

On November 1, 2023, the NYDFS finalized an amendment to its cybersecurity regulation that expands cybersecurity requirements across many areas, including access management. The update imposes two requirements for “Class A Companies” (read: large organizations) in Section 500.7. This section of the amendment specifies updated requirements regarding Access Privileges and Management:

Class A companies must:

(1) implement a privileged access management solution;
(2) automatically block common passwords for information system accounts. If the latter requirement is not feasible, then the covered entity’s CISO must provide annual written approval for the infeasibility and use of alternative controls.

While this applies to Class A companies, the full amendment also includes additional requirements for all companies:  

The Amendment expands the requirements for access privileges, adding “and Management” to the title of the Section. The Amendment imposes the requirements that a covered entity must: 

(1) limit user access privileges to nonpublic information to only those necessary to perform the user’s job; 
(2) limit the number of privileged accounts and access functions of those accounts to only those necessary to perform the user’s job; 
(3) only permit use of privileged accounts when performing functions requiring that access; 
(4) annually review all user access privileges and remove or disable unnecessary accounts or access; 
(5) disable or securely configure all protocols that permit remote device control; and 
(6) promptly terminate access after departures.

If passwords are used for authentication, the Amendment requires that covered entities implement a written password policy that complies with industry standards.

Section 500.7: Breaking down the new requirements

The new requirements imposed by the amendment to Section 500.7 can be broken down into a few key categories:

Category Requirements
Principle of Least Privilege (1) limit user access privileges to nonpublic information to only those necessary to perform the user’s job;
(2) limit the number of privileged accounts and access functions of those accounts to only those necessary to perform the user’s job;
Just-in-Time Access (3) only permit use of privileged accounts when performing functions requiring that access;
Privileged Access (4) annually review all user access privileges and remove or disable unnecessary accounts or access;
(6) promptly terminate access after departures.
Class A: implement a privileged access management solution


The Principle of Least Privilege (PoLP) is an access management methodology that’s focused on ensuring that user privileges are limited to the minimum required for the user to do his/her job. In the case of NYDFS regulations, this definition is extended to include the data that the user can access as well. That means organizations must actively manage the tools and systems users have access to, as well the data that can be accessed in those systems.

Just-in-Time Access is focused on access to systems that only exists in the moments that it’s needed, and that access is deprovisioned as soon as it is not needed. NYDFS mandates that just-in-time access is applied across privileged accounts, ensuring that privileged accounts are not available when users are not performing functions that require access. 

Privileged Access is a category of Identity and Access Management (IAM) that is primarily focused on securing accounts with elevated privileges. The amendment to NYDFS requires that Class A Companies implement a privileged access management solution, such as StrongDM, and implement workflows and processes that disable or remove all unnecessary privileges, including those for users terminated or that depart the organization. 

Meet the Updated NYDFS Requirements with StrongDM

StrongDM delivers a Zero Trust PAM platform that fulfills the “implementation of a PAM” requirements, while also delivering the critical features required for PoLP, Just-in-Time access, and privileged access. Specifically:

Category Requirements StrongDM
Principle of Least Privilege (1) limit user access privileges to nonpublic information to only those necessary to perform the user’s job;
(2) limit the number of privileged accounts and access functions of those accounts to only those necessary to perform the user’s job;		 (1) StrongDM provides organizations with fine-grained access controls to manage “who has access to what and when”
(2) StrongDM centralizes access management to infrastructure, making it possible to easily manage users and the access they possess based on role, attributes and policies
Just-in-Time Access (3) only permit use of privileged accounts when performing functions requiring that access; (3) StrongDM makes it possible to enable just-in-time access automating the process of provisioning and deprovisioning credentials. Furthermore, credentials can be revoked at any time or expire based on time, ensuring that privileged access is removed when not in use.
Privileged Access (4) annually review all user access privileges and remove or disable unnecessary accounts or access;
(6) promptly terminate access after departures.
Class A: implement a privileged access management solution		 (4) StrongDM provides reports that make it easy to understand privilege usage, as well features to disable those privileges where required
(6) StrongDM can centrally manage all privileged access to infrastructure, and can be integrated with the organization’s identity provider to ensure all privileges are removed across all systems when a user departs
Class A: StrongDM qualifies as a privileged access management solution


To learn more about how StrongDM can help you meet the updated requirements of NYDFS, you can sign up for a demo here.

About the Author

, Chief Marketing Officer (CMO), is a distinguished marketing leader with a track record spanning over two decades in the software industry. With tenure of over 10 years as a Chief Marketing Officer, she has left an indelible mark on companies such as Oracle, Veritas, MarkLogic, Evident.io, Palo Alto Networks, and her current role of CMO at StrongDM. Michaline's expertise lies at the intersection of technology and marketing, driving strategic initiatives that fuel business growth and innovation.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Mitigating Shadow Access Risks with Zero Trust PAM
Mitigating Shadow Access Risks with Zero Trust PAM
Discover how StrongDM's Zero Trust PAM and fine-grained authorization secure cloud data plane access and mitigate shadow access risks without hindering productivity.
Why Just-in-Time Access Is Key for Zero Trust Security in AWS
Why Just-in-Time Access Is Key for Zero Trust Security in AWS
Learn why Just-in-Time (JIT) access is essential for Zero Trust security in AWS environments. Discover how StrongDM's JIT access enhances security, optimizes workflows, and ensures compliance with Zero Trust principles.
Securing Network Devices with StrongDM's Zero Trust PAM Platform
Securing Network Devices with StrongDM's Zero Trust PAM Platform
Let’s talk about the unsung heroes of your on-premises infrastructure: network devices. These are the routers, switches, and firewalls that everyone forgets about…and takes for granted—until something breaks. And when one of those somethings breaks, it leads to some pretty bad stuff. If your network goes down, that’s bad, bad, bad for business. But if those devices lack the necessary security, well, that can leave you exposed in an incredibly dangerous way.
What Is Zero Trust for the Cloud? (And Why It's Important)
What Is Zero Trust for the Cloud? (And Why It's Important)
Zero Trust cloud security is a cybersecurity model that operates on the principle that no user, device, system, or action should be trusted by default — even if it's inside your organization’s own network. This approach minimizes the risk of breaches and other cyber threats by limiting access to sensitive information and resources based on user roles, device security posture, and contextual factors.
How to Prevent Password Sharing in Healthcare
How to Prevent Password Sharing in Healthcare (8 Ways)
Protecting sensitive patient data in healthcare isn't just a priority—it's a legal and ethical obligation. However, one of the most overlooked security gaps that healthcare organizations face is the practice of password sharing among employees. This seemingly harmless habit can quickly lead to unauthorized access and serious data breaches, putting both the organization and patients at risk. While often seen as a convenient shortcut, password sharing undermines the security of protected health information (PHI), potentially leading to HIPAA violations and data breaches. In this post, we'll explore eight effective ways to prevent password sharing in healthcare.