NYDFS Cybersecurity Regulation Control Mapping

Overview

This document maps NYDFS Cybersecurity Regulation requirements to specific AWS controls and evidence collection points. It serves as a reference for compliance assessments and audit preparation.

Control Mapping Matrix

Section 500.02: Cybersecurity Program

NYDFS Control	AWS Control	Evidence Type	Collection Method	Status
500.02(a) - Risk Assessment	AWS Config Rules	Automated	AWS Config	✅
500.02(b) - Defense in Depth	Security Groups, NACLs	Automated	AWS Security Hub	✅
500.02(c) - Access Controls	IAM Policies	Automated	AWS IAM Access Analyzer	✅
500.02(d) - Data Protection	KMS, S3 Encryption	Automated	AWS Config	✅

Section 500.03: Cybersecurity Policy

NYDFS Control	AWS Control	Evidence Type	Collection Method	Status
500.03(a) - Policy Framework	AWS Organizations	Manual	Policy Documentation	✅
500.03(b) - Access Controls	IAM Password Policy	Automated	AWS Config	✅
500.03(c) - Business Continuity	AWS Backup	Automated	AWS Backup	✅
500.03(d) - Vendor Management	AWS Service Catalog	Manual	Vendor Assessment	⚠️

Section 500.04: Chief Information Security Officer

NYDFS Control	AWS Control	Evidence Type	Collection Method	Status
500.04(a) - CISO Role	AWS Organizations	Manual	Role Documentation	✅
500.04(b) - Reporting	CloudWatch Dashboards	Automated	CloudWatch	✅
500.04(c) - Risk Assessment	AWS Security Hub	Automated	Security Hub	✅

Section 500.05: Penetration Testing

NYDFS Control	AWS Control	Evidence Type	Collection Method	Status
500.05(a) - Annual Testing	AWS Inspector	Manual	Penetration Test Report	⚠️
500.05(b) - Vulnerability Assessment	AWS Security Hub	Automated	Security Hub	✅
500.05(c) - Remediation	AWS Systems Manager	Automated	Systems Manager	✅

Evidence Collection Methods

Automated Collection

AWS Config Rules
- Compliance status
- Configuration history
- Resource relationships
AWS Security Hub
- Security findings
- Compliance status
- Risk scores
CloudWatch Logs
- Access logs
- Security events
- System metrics

Manual Collection

Policy Documentation
- Security policies
- Procedures
- Runbooks
Assessment Reports
- Penetration tests
- Risk assessments
- Vendor reviews

Control Implementation Status

pie title Control Implementation Status
    "Implemented" : 75
    "In Progress" : 15
    "Not Started" : 10

Key Metrics

Metric	Target	Current	Status
Control Coverage	100%	85%	⚠️
Automated Evidence	80%	75%	⚠️
Critical Controls	100%	95%	✅
High Risk Controls	100%	90%	✅

Remediation Priorities

High Priority

Complete vendor management program
Finalize annual penetration testing
Update business continuity documentation

Medium Priority

Enhance automated evidence collection
Implement additional AWS Config rules
Update security policies

Low Priority

Document manual processes
Review and update runbooks
Enhance reporting dashboards

Ghost SecOps

Explorer

NYDFS Cybersecurity Regulation Control Mapping

NYDFS Cybersecurity Regulation Control Mapping

Overview

Control Mapping Matrix

Section 500.02: Cybersecurity Program

Section 500.03: Cybersecurity Policy

Section 500.04: Chief Information Security Officer

Section 500.05: Penetration Testing

Evidence Collection Methods

Automated Collection

Manual Collection

Control Implementation Status

Key Metrics

Remediation Priorities

High Priority

Medium Priority

Low Priority

Graph View

Table of Contents

Ghost SecOps

Explorer

NYDFS Cybersecurity Regulation Control Mapping

NYDFS Cybersecurity Regulation Control Mapping

Overview

Control Mapping Matrix

Section 500.02: Cybersecurity Program

Section 500.03: Cybersecurity Policy

Section 500.04: Chief Information Security Officer

Section 500.05: Penetration Testing

Evidence Collection Methods

Automated Collection

Manual Collection

Control Implementation Status

Key Metrics

Remediation Priorities

High Priority

Medium Priority

Low Priority

Related Resources

Graph View

Table of Contents