<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Life's like a box of chocolates 🍫 Your access shouldn't be. Register for our new webinar.

Search
Close icon
Search bar icon

How to Meet NYDFS Section 500.7 Amendment Requirements

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

The New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation is a set of comprehensive cybersecurity requirements that apply to financial institutions operating in New York. The goal of the regulation is to ensure that the cybersecurity programs of financial institutions have robust safeguards in place to protect customer data and the financial sector. 

On November 1, 2023, the NYDFS finalized an amendment to its cybersecurity regulation that expands cybersecurity requirements across many areas, including access management. The update imposes two requirements for “Class A Companies” (read: large organizations) in Section 500.7. This section of the amendment specifies updated requirements regarding Access Privileges and Management:

Class A companies must:

(1) implement a privileged access management solution;
(2) automatically block common passwords for information system accounts. If the latter requirement is not feasible, then the covered entity’s CISO must provide annual written approval for the infeasibility and use of alternative controls.

While this applies to Class A companies, the full amendment also includes additional requirements for all companies:  

The Amendment expands the requirements for access privileges, adding “and Management” to the title of the Section. The Amendment imposes the requirements that a covered entity must: 

(1) limit user access privileges to nonpublic information to only those necessary to perform the user’s job; 
(2) limit the number of privileged accounts and access functions of those accounts to only those necessary to perform the user’s job; 
(3) only permit use of privileged accounts when performing functions requiring that access; 
(4) annually review all user access privileges and remove or disable unnecessary accounts or access; 
(5) disable or securely configure all protocols that permit remote device control; and 
(6) promptly terminate access after departures.

If passwords are used for authentication, the Amendment requires that covered entities implement a written password policy that complies with industry standards.

Section 500.7: Breaking down the new requirements

The new requirements imposed by the amendment to Section 500.7 can be broken down into a few key categories:

Category Requirements
Principle of Least Privilege (1) limit user access privileges to nonpublic information to only those necessary to perform the user’s job;
(2) limit the number of privileged accounts and access functions of those accounts to only those necessary to perform the user’s job;
Just-in-Time Access (3) only permit use of privileged accounts when performing functions requiring that access;
Privileged Access (4) annually review all user access privileges and remove or disable unnecessary accounts or access;
(6) promptly terminate access after departures.
Class A: implement a privileged access management solution


The Principle of Least Privilege (PoLP) is an access management methodology that’s focused on ensuring that user privileges are limited to the minimum required for the user to do his/her job. In the case of NYDFS regulations, this definition is extended to include the data that the user can access as well. That means organizations must actively manage the tools and systems users have access to, as well the data that can be accessed in those systems.

Just-in-Time Access is focused on access to systems that only exists in the moments that it’s needed, and that access is deprovisioned as soon as it is not needed. NYDFS mandates that just-in-time access is applied across privileged accounts, ensuring that privileged accounts are not available when users are not performing functions that require access. 

Privileged Access is a category of Identity and Access Management (IAM) that is primarily focused on securing accounts with elevated privileges. The amendment to NYDFS requires that Class A Companies implement a privileged access management solution, such as StrongDM, and implement workflows and processes that disable or remove all unnecessary privileges, including those for users terminated or that depart the organization. 

Meet the Updated NYDFS Requirements with StrongDM

StrongDM delivers a Dynamic Access Management (DAM) platform that fulfills the “implementation of a PAM” requirements, while also delivering the critical features required for PoLP, Just-in-Time access, and privileged access. Specifically:

Category Requirements StrongDM
Principle of Least Privilege (1) limit user access privileges to nonpublic information to only those necessary to perform the user’s job;
(2) limit the number of privileged accounts and access functions of those accounts to only those necessary to perform the user’s job;
(1) StrongDM provides organizations with fine-grained access controls to manage “who has access to what and when”
(2) StrongDM centralizes access management to infrastructure, making it possible to easily manage users and the access they possess based on role, attributes and policies
Just-in-Time Access (3) only permit use of privileged accounts when performing functions requiring that access; (3) StrongDM makes it possible to enable just-in-time access automating the process of provisioning and deprovisioning credentials. Furthermore, credentials can be revoked at any time or expire based on time, ensuring that privileged access is removed when not in use.
Privileged Access (4) annually review all user access privileges and remove or disable unnecessary accounts or access;
(6) promptly terminate access after departures.
Class A: implement a privileged access management solution
(4) StrongDM provides reports that make it easy to understand privilege usage, as well features to disable those privileges where required
(6) StrongDM can centrally manage all privileged access to infrastructure, and can be integrated with the organization’s identity provider to ensure all privileges are removed across all systems when a user departs
Class A: StrongDM qualifies as a privileged access management solution


To learn more about how StrongDM can help you meet the updated requirements of NYDFS, you can sign up for a demo here.


About the Author

, Chief Marketing Officer (CMO), is a distinguished marketing leader with a track record spanning over two decades in the software industry. With tenure of over 10 years as a Chief Marketing Officer, she has left an indelible mark on companies such as Oracle, Veritas, MarkLogic, Evident.io, Palo Alto Networks, and her current role of CMO at StrongDM. Michaline's expertise lies at the intersection of technology and marketing, driving strategic initiatives that fuel business growth and innovation.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Vendor Access Management (VAM) Explained
Vendor Access Management (VAM) Explained
Vendor Access Management (VAM) is the systematic control and oversight of vendor access to an organization's systems, applications, and data. It involves processes such as onboarding and offboarding vendors, utilizing solutions for Just-in-Time access, ensuring security, and streamlining workflows to minimize operational inefficiencies.
What Is Fine-Grained Access Control? Challenges, Benefits & More
What Is Fine-Grained Access Control? Challenges, Benefits & More
Fine-grained access control systems determine a user’s access rights—to infrastructure, data, or resources, for example—once past initial authentication. Unlike coarse-grained access control (CGAC), which relies on a single factor, such as role, to grant access, FGAC relies on multiple factors. For example, it may consider policies (policy-based access control, or PBAC), attributes (attribute-based access control, or RBAC), or a user’s behavior in a certain context (behavior-based access control, or BBAC).
Implicit Trust vs. Explicit Trust in Access Management
Implicit Trust vs. Explicit Trust in Access Management
Trust is an essential cornerstone in access management. However, not all trust is created equal. When it comes to how you approach access, two types of trust stand out: implicit trust and explicit trust.
Joiners, Movers, and Leavers (JML) Process (How to Secure It)
Joiners, Movers, and Leavers (JML) Process (How to Secure It)
People come, and people go, and while digital identities should cease to exist after a departure, many times, this doesn’t happen. At any given time, organizations can have thousands of user identities to manage and track, so when processes aren’t automated, it’s easy for many identities to fall through the cracks. This phenomenon is called Identity Lifecycle Management, and when it comes to access and security, it’s worth the time to get it right.
Reduce Security Risk with StrongDM Device Trust
Reduce Security Risk with StrongDM Device Trust
We are thrilled to announce a new feature to our StrongDM® Dynamic Access Management (DAM) platform: Device Trust. This feature amplifies your organization's security posture by employing device posture data from endpoint security leaders CrowdStrike or SentinelOne.