The citymeetings.nyc logo showing a pigeon at a podium with a microphone.

citymeetings.nyc

Your guide to NYC's public proceedings.
QUESTION

What protocols are in place to ensure policy and protocol updates are relevant and audited?

1:25:13

·

107 sec

The council member inquires about the process for updating policies and protocols to ensure relevancy and auditing. The chief information security officer explains that they follow industry best practices for remediation timelines and vulnerability management programs.

  • Their policies are updated as needed if the threat landscape changes.
  • They issue heightened directives when there are ongoing threats of exploitation.
  • They mimic federal government directives for critical vulnerabilities impacting federal agencies.
  • This is done to protect New Yorkers' data, following industry best practices.
Jennifer GutiƩrrez
1:25:13
I guess as much as you can share about the regularity of updating the policies.
1:25:19
Like, I understand from your previous response, it really it really just depends.
1:25:23
But what what can OTI say to the public about ensure wearing that the policies are being updated, that they're relevant, that they're audited.
1:25:32
I don't know if if you all do that as well, but what can you all share with us?
1:25:37
About those particular protocols.
Kelly Moan
1:25:38
Absolutely.
1:25:39
Thank you for the question and for the opportunity to share.
1:25:42
So we follow best in best in class industry best practices for remediation timelines for let's say vulnerabilities and our associated vulnerability management program.
1:25:52
We've also, at times, actually, fallen followed the federal government with regard to advisories such as directives for emergency and critical.
1:26:03
So these are important and urgent ongoing exploitation of of vulnerabilities from threat actors.
1:26:13
And so we've we've we have our routine timelines in in place and associated policies.
1:26:19
That are updated when when they need to be updated if the the threat landscape changes.
1:26:25
But we also have heightened directives that we've pushed out in particular when we see that there's an ongoing threat of exploitation, and we're seeing that the federal government are are counterparts at the cyber security infrastructure security agency putting out a directive that impacts federal civilian agencies.
1:26:46
We typically mimic that and actually pushed out one of our own for our city agencies as well.
1:26:52
Because, again, it's it's industry best practice, and we wanna make sure we're doing everything we and furtherance of protection of New Yorkers data.
Jennifer GutiƩrrez
1:26:59
Thank you.

← Previous Chapter

How does the city respond to zero-day vulnerabilities and potential data breaches?

Next Chapter →

What is the frequency and process of application security audits conducted by NYC Cyber Command?
Citymeetings.nyc pigeon logo

Is citymeetings.nyc useful to you?

I'm thrilled!

Please help me out by answering just one question.

What do you do?

Thank you!

Want to stay up to date? Sign up for the newsletter.