The citymeetings.nyc logo showing a pigeon at a podium with a microphone.

citymeetings.nyc

Your guide to NYC's public proceedings.
QUESTION

Do the data agreements with vendors require encryption while data is being transferred?

0:36:04

·

91 sec

The chief information security officer explains that the city has encryption requirements for data both in internal policies and in contractual agreements with vendors.

  • The city has an attachment called SEY that specifies security requirements for vendor contracts
  • The city also has services agreements that cover security requirements
  • For cloud services, there is a shared responsibility model where the city and vendor are both accountable for security
  • The city has a robust third party risk management program
  • This includes procedural controls in contracts requiring vendors to report cybersecurity incidents to the city
Jennifer GutiƩrrez
0:36:04
And in any of those agreements, do you know if the data is required to be encrypted?
0:36:10
What while it's being transferred?
Kelly Moan
0:36:12
So we have encryption requirements for both in in some in our policies, but also in our riders for contractual agreements as well, Attachment SEY, which is a security requirement attachment.
0:36:27
And then we also have a services agreement.
0:36:30
I think largely as we continue to see the use of cloud, right, a key theme with cloud as shared responsibility or shared fate model, making sure that we are, as a customer, making sure that the right security protections are in place, but then we're also holding the vendor accountable or then cloud service provider accountable to also make sure that they're meeting the measure of those requirements.
0:36:54
We have a really robust third party risk management program, which includes not just those technical controls, but also procedurally in those contract documentation and writers, which also even denote again, the reality which is even if a provider puts all the bells and whistles in place for cybersecurity, the reality is is they will they will likely in their time frame suffer a cyber incident.
0:37:19
And for that reason, it's also important for them to understand and know who to contact us.
0:37:25
Right, if they suffer a cybersecurity incident so we can very quickly with the agency assess whether or not there's been any equity impact to New York City equities at play.

← Previous Chapter

What is the extent to which agencies can share data and how is the data shared?

Next Chapter →

Is personal client information being shared between city and state agencies without notification?
Citymeetings.nyc pigeon logo

Is citymeetings.nyc useful to you?

I'm thrilled!

Please help me out by answering just one question.

What do you do?

Thank you!

Want to stay up to date? Sign up for the newsletter.