NYS SHIELD Compliance Checklist

The SHIELD Act was signed into law to boost the protection of consumer's private information and will hold accountable organizations that do business in New York State if they do not demonstrate adherence to SHIELD. Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data. 

Please note that organizations that are deemed to be compliant with HIPAA, The Gramm-Leach-Bliley Act or NY State Department of Financial Services cybersecurity regulations may require additional work to be done to be in compliance with the SHIELD Act.

Survey

1

Name

What is your name?

3

Phone Number

What is your phone number?

4

Organization

What is the name of your organization?

Administrative Safeguards

5

Chief Information Security Officer

Has your organization appointed or designated a person to function in the role of Chief Information Security Officer?

?

To answer, consider the following:

  • Is there a person that your organization has designated as being responsible for the administration and management of your cybersecurity program? Note: this does not need to be a full-time internal employee with this title, but it does require a person with this skillset.
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
6

Risk Assessment

Has your organization conducted a risk assessment that identifies reasonably foreseeable internal and external risks?

?

To answer this question, consider your responses to the following questions:

  • Has your organization identified threats to security and information and attempted to assess the likelihood and potential impact of these threats? 
  • Has your organization performed a rigorous assessment of potential risks to security and data?
  • Does your organization have documented plan identifying areas for improving cybersecurity? 
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
7

Controlling Risk

Does your organization have an ongoing process to continuously assess the sufficiency of the safeguards that you have in place?

?

To answer this question, consider the following:

  • Does your organization have a Data Security Policy or Data Breach Policy in place?
  • Have cybersecurity and data security policies been adequately socialized with your staff?
  • Are staff aware of the implications and consequences of violating such policies?
  • Does your organization have a process for onboarding new staff that includes training on cybersecurity and data policies?
  • Are there established intervals (e.g. quarterly) for reassessment of risk, modifying policy and re-training staff?
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
8

Cyber Awareness Training

Does your organization provide Cyber Awareness training to all employees at least annually?

?

To answer this question, consider your responses to the following questions:

  • Do you provide cybersecurity awareness to all staff, at least annually
  • Do you provide ongoing awareness training in the form of videos or other content? 
  • Do you test employees on their cybersecurity awareness? 
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
9

Phish Testing

Does your organization regularly "phish" your staff to determine vulnerability to common phishing tactics?

?

To answer this question, consider your responses to the following questions:

  • Does your organization have a mechanism for sending periodic phishing simulations to your staff?
  • Do the simulations include remedial training for staff who engage with the phishing simulations? 
  • Does your organization review data on staff engagement with phishing simulations? 
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
10

Vendor Safeguards

Does your organization have a process for selecting and contracting with service providers who also maintain reasonable safeguards?

?

To answer this question, consider your responses to the following questions:

  • Does your organization perform a standard vetting process for establishing the security posture of third party vendors and other service providers? 
  • Does your organization include in its contracts requirements that third parties provide reasonable safeguards to protect private information? 
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
11

Review Process

Does your organization have an established, documented process for regularly reviewing your cybersecurity program?

?

To answer this question, consider the following:

  • Does your organization have a process for regularly evaluating your security program?
  • When business practices change, such as new programs are added or staff are expended, do you evaluate how this affects your cybersecurity and data security programs?
  • When adopting new software programs, do you evaluate these in light of your organizational security requirements?
Not at all
1
 
2
 
3
 
4
 
5
 
Completely

Technical Safeguards

12

Network and Software Design

Does your organization have a process for regularly assessing risks in your network or software systems?

?

To answer this question, consider the following questions:

  • Does your organization conduct regular, ongoing risks assessments of systems and software?
  • Does your organization perform vulnerability scans on websites, networks and other systems that store or transmit private information?
  • Are policies in place that prevent staff from access private information from unsecured networks, such as public wifi?
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
13

Information Processing

Does your organization have a process for regularly assessing and addressing risks in information processing, transmission and storage?

?

To answer this question, consider your responses to the following questions:

  • Does your organization perform a regular data inventory?
  • Do you know where all data (even informal sources) exist at your organization? 
  • Is it standard practice to encrypt data and also maintain secure backups? 
  • If most of your data systems are cloud-based, are those systems secure? 
  • Is there a process for ensuring that Private Information can not be dowloaded by staff?
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
14

Response Plan

Does your organization maintain a process for detecting, preventing or responding to an attack or system failure?

?

To answer this question, consider your responses to the following questions:

  • Does your organization maintain a practice of ensuring that anti-malware is installed on all systems that interact with its networks? That includes personal computers when people are working from home.
  • Does your organization have a way of monitoring suspicious traffic?
  • Do you have a documented plan for responding in the event of an attack—this is also commonly referred to as an Incident Response Plan? The NY SHIELD Act requires notification within 72 hours—would you organization be able to do that? 
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
15

Testing and Monitoring

Does your organization have a defined process for regularly testing and monitoring all key controls, systems and procedures?

?

To answer this question, consider the following:

  • Does your organization implement regular penetration testing to test the effectiveness of your systems to protect against attack?
  • How does leadership at your organization know if your current systems are capable of protecting private information?
Not at all
1
 
2
 
3
 
4
 
5
 
Completely

Physical Safeguards

16

Information Storage and Disposal

Does your organization have a process in place for assessing risks associated with information storage and disposal?

?

To answer this question, consider whether your organization:

  • Conducts an ongoing risk assessment that includes the physical security of all systems on your network
  • Manages a system for securing devices in locked cabinets or requiring that staff lock their computers when they are away from them
  • Maintains a process to ensure that only authorized people have access to your physical premises
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
17

Intrusions

Does your organization have a system for detecting, preventing and responding to intrusions?

?

To answer this question, consider your responses to the following questions:

  • Does your organization prevent unauthorized access, through requiring staff to use keycards and securing all access points? 
  • Do you have systems in place to detect network and other systems intrusions?
  • Do you monitor alerts for hosted and cloud services? 
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
18

Unauthorized Access

Does your organization have a process in place to protect against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of information?

?

To answer this question, consider whether your organization has:

  • Data governance in place and administrators fully understand the lifecycle of data/information when it is being collected, transported, destroyed or disposed of
  • Defined and documented safeguards in place at each of these stages that would ensure against unauthorized access
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
19

Disposal

Does your organization have a process for disposing of private information within a reasonable amount of time, after it is no longer needed for business purposes?

?

To answer this question, consider the following:

  • Does your organization have a Data Retention Policy? 
  • Is there an end of life built into your organization's data life cycle? 
  • Does your organization have a secure process for destroying or purging data when it is no longer needed? 
  • When data is no longer needed, is it removed in a way that ensure it can not be read or reconstructed?
Not at all
1
 
2
 
3
 
4
 
5
 
Completely

Notification

20

Notifying

Does your organization's Incident Response Plan include protocols for notifying affected New York residents in the event of a breach?

?

To answer this question, consider the following:

  • Does your organization have an Incident Response Plan that articulates what your would do -- and who is responsible -- in the event of a breach?
  • If there was a breach at your organization, would you be able to notify all affected New York residents within 72 hours?

The New York SHIELD Act requires that an organization "shall notify the owner or licensee of the information of any breach of the security of the system immediately following the discovery." Does your organization have a plan and the ability to be able to immediately notify all affected persons?

Not at all
1
 
2
 
3
 
4
 
5
 
Completely

* Answer required