<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Search
Close icon
Search bar icon

How to Meet NYDFS Section 500.7 Amendment Requirements

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

The New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation is a set of comprehensive cybersecurity requirements that apply to financial institutions operating in New York. The goal of the regulation is to ensure that the cybersecurity programs of financial institutions have robust safeguards in place to protect customer data and the financial sector. 

On November 1, 2023, the NYDFS finalized an amendment to its cybersecurity regulation that expands cybersecurity requirements across many areas, including access management. The update imposes two requirements for “Class A Companies” (read: large organizations) in Section 500.7. This section of the amendment specifies updated requirements regarding Access Privileges and Management:

Class A companies must:

(1) implement a privileged access management solution;
(2) automatically block common passwords for information system accounts. If the latter requirement is not feasible, then the covered entity’s CISO must provide annual written approval for the infeasibility and use of alternative controls.

While this applies to Class A companies, the full amendment also includes additional requirements for all companies:  

The Amendment expands the requirements for access privileges, adding “and Management” to the title of the Section. The Amendment imposes the requirements that a covered entity must: 

(1) limit user access privileges to nonpublic information to only those necessary to perform the user’s job; 
(2) limit the number of privileged accounts and access functions of those accounts to only those necessary to perform the user’s job; 
(3) only permit use of privileged accounts when performing functions requiring that access; 
(4) annually review all user access privileges and remove or disable unnecessary accounts or access; 
(5) disable or securely configure all protocols that permit remote device control; and 
(6) promptly terminate access after departures.

If passwords are used for authentication, the Amendment requires that covered entities implement a written password policy that complies with industry standards.

Section 500.7: Breaking down the new requirements

The new requirements imposed by the amendment to Section 500.7 can be broken down into a few key categories:

Category Requirements
Principle of Least Privilege (1) limit user access privileges to nonpublic information to only those necessary to perform the user’s job;
(2) limit the number of privileged accounts and access functions of those accounts to only those necessary to perform the user’s job;
Just-in-Time Access (3) only permit use of privileged accounts when performing functions requiring that access;
Privileged Access (4) annually review all user access privileges and remove or disable unnecessary accounts or access;
(6) promptly terminate access after departures.
Class A: implement a privileged access management solution


The Principle of Least Privilege (PoLP) is an access management methodology that’s focused on ensuring that user privileges are limited to the minimum required for the user to do his/her job. In the case of NYDFS regulations, this definition is extended to include the data that the user can access as well. That means organizations must actively manage the tools and systems users have access to, as well the data that can be accessed in those systems.

Just-in-Time Access is focused on access to systems that only exists in the moments that it’s needed, and that access is deprovisioned as soon as it is not needed. NYDFS mandates that just-in-time access is applied across privileged accounts, ensuring that privileged accounts are not available when users are not performing functions that require access. 

Privileged Access is a category of Identity and Access Management (IAM) that is primarily focused on securing accounts with elevated privileges. The amendment to NYDFS requires that Class A Companies implement a privileged access management solution, such as StrongDM, and implement workflows and processes that disable or remove all unnecessary privileges, including those for users terminated or that depart the organization. 

Meet the Updated NYDFS Requirements with StrongDM

StrongDM delivers a Dynamic Access Management (DAM) platform that fulfills the “implementation of a PAM” requirements, while also delivering the critical features required for PoLP, Just-in-Time access, and privileged access. Specifically:

Category Requirements StrongDM
Principle of Least Privilege (1) limit user access privileges to nonpublic information to only those necessary to perform the user’s job;
(2) limit the number of privileged accounts and access functions of those accounts to only those necessary to perform the user’s job;
(1) StrongDM provides organizations with fine-grained access controls to manage “who has access to what and when”
(2) StrongDM centralizes access management to infrastructure, making it possible to easily manage users and the access they possess based on role, attributes and policies
Just-in-Time Access (3) only permit use of privileged accounts when performing functions requiring that access; (3) StrongDM makes it possible to enable just-in-time access automating the process of provisioning and deprovisioning credentials. Furthermore, credentials can be revoked at any time or expire based on time, ensuring that privileged access is removed when not in use.
Privileged Access (4) annually review all user access privileges and remove or disable unnecessary accounts or access;
(6) promptly terminate access after departures.
Class A: implement a privileged access management solution
(4) StrongDM provides reports that make it easy to understand privilege usage, as well features to disable those privileges where required
(6) StrongDM can centrally manage all privileged access to infrastructure, and can be integrated with the organization’s identity provider to ensure all privileges are removed across all systems when a user departs
Class A: StrongDM qualifies as a privileged access management solution


To learn more about how StrongDM can help you meet the updated requirements of NYDFS, you can sign up for a demo here.


About the Author

, Chief Marketing Officer (CMO), is a distinguished marketing leader with a track record spanning over two decades in the software industry. With tenure of over 10 years as a Chief Marketing Officer, she has left an indelible mark on companies such as Oracle, Veritas, MarkLogic, Evident.io, Palo Alto Networks, and her current role of CMO at StrongDM. Michaline's expertise lies at the intersection of technology and marketing, driving strategic initiatives that fuel business growth and innovation.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

MFA Fatigue Attack: Meaning, Types, Examples, and More
MFA Fatigue Attack: Meaning, Types, Examples, and More
This article investigates MFA fatigue attacks. We'll explain how they work, why they're effective, and who they typically target. We'll also provide real-life examples to help your team detect and prevent these threats. You'll leave with a clear understanding of MFA fatigue attacks and tips on how to shore up your cloud security to defend against them.
What Is User Provisioning? How It Works, Best Practices & More
What Is User Provisioning? How It Works, Best Practices & More
User provisioning is the process of managing user access within an enterprise. It involves creating, managing, and deprovisioning user accounts and access rights across various systems and applications. This includes setting up accounts, assigning roles and permissions, and managing identities.
Zero Trust vs. VPN: Key Differences Explained (Side-by-Side)
Zero Trust vs. VPN: Key Differences Explained (Side-by-Side)
Understanding the core differences between a Zero Trust architecture and a Virtual Private Network (VPN) is an important step in shaping your organization’s cybersecurity strategy. Zero Trust and VPNs offer distinct approaches to security; knowing their functionalities and security philosophies helps you understand when to select one or the other to protect your data effectively—a strategic necessity for robust cybersecurity.
Top 9 Zero Trust Security Solutions
Top 9 Zero Trust Security Solutions in 2024
Zero trust is a security and authentication model that eliminates the assumption of trust and shifts the focus from a traditional security parameter, like a VPN or firewall, to the individual user. Nearly all (92 percent) cybersecurity professionals agree that it’s the best network security approach that exists. In this article, we’ll evaluate the top nine zero trust solutions and help you decide which is right for your organization.
StrongDM vs. AWS SSM Session Manager: Side-by-Side Comparison
StrongDM vs. AWS SSM Session Manager: Side-by-Side Comparison
Both AWS Systems Manager (SSM) Session Manager and StrongDM are solutions for gaining remote access to critical infrastructure. Yet, while they share some of the same capabilities required of an enterprise access management platform, the execution and the ultimate goals they accomplish for security and compliance teams are very different.