WISP | 23 NYCRR 500 Policies & Standards


23 NYCRR 500 Written Information Security Program (WISP).



23 NYCRR 500 Written Information Security Program (WISP)

The New York Cyber Security Regulation, officially known as 23 NYCRR 500, is a regulation that requires financial service organizations and their third-party vendors to implement written information security programs.

All documentation and information relevant to the covered entity’s cybersecurity program shall be made available to the NYDFS superintendent upon request.

As a result, it’s important to have the proper documentation that meets each of the requirements set forth in 23 NYCRR 500.

aNetworks, Inc. provides customized WISPs that comply with 23 NYCRR 500. This is a comprehensive, editable, easily implemented document that contains the policies, control objectives, standards, and guidelines your company needs to secure data and meet NY compliance requirements.

Our 23 NYCRR 500 WISP is designed to achieve the following best practices set forth by New York State Law:

Each covered entity shall maintain a written cyber security program designed to protect the confidentiality, integrity, and availability of the covered entity’s information systems.
The written information security program shall be based on the covered entity’s risk assessment and designed to perform the following core cybersecurity functions:

Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the covered entity’s information systems;

  • Use defensive infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems, and the nonpublic information stored on those information systems, from unauthorized access, use, or other malicious acts;
  • Detect cybersecurity events;
  • Respond to identified or detected cybersecurity events to mitigate any negative effects;
  • Recover from cybersecurity events and restore normal operations and services; and
  • Fulfill applicable regulatory reporting obligations.

Apart from being completely customizable, it’s a fraction of the cost of writing one yourself or hiring an outside consultant to write one for you and it covers each of the policies and standards set forth by 23 NYCRR 500.