Our comprehensive assessment helps you determine your current level of cybersecurity and risk, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining your cybersecurity. We evaluate your security environment for compliance with federal and state recommended standards with a thorough review of all devices on the network, your data in the cloud and locally stored, access controls, and physical environment vulnerabilities to the security of your data. In addition, we evaluate your ability to continue business operations should your business be impacted from threats like cyber attacks, or employee negligence/maliciousness, extended power outage or natural disasters. Recommended remediation actions are included in the report. Our risk assessment includes compliance requirements for 23 NYCRR-500 and can be expanded for organizations subject to specific data security regulation and compliance requirements such as SEC, HIPAA or PCI.

After your Risk Assessment is completed, we help create your documented cybersecurity policies which should be in place to guard critical data against attacks. Your policies will help ensure the security and confidentiality of personally identifiable information (PII) of customers, clients, employees or vendors as well as sensitive company data. We also help you define access controls, define sanctions for employees or third party vendors who don’t comply, create a Bring Your Own Device policy, and an Incident Response Plan. After finalizing the policies with you, we organize them in your compliance portal where we can then track and report on staff acknowledgement of policies.

Business continuity and disaster recovery planning requires advance preparation to ensure that critical business functions can continue. CXG’s Compliance Navigator helps you create documented plans and procedures to ensure the quick, effective execution of continuation or recovery strategies for critical business functions should the business be impacted by natural disaster or successful cyber attack.

The purpose of this plan is to develop procedures for the identification, response, and documentation of security incidents, the mitigation of effects of known security incidents, reporting of breaches and breach response such as notification of affected customers.

To assure that systems containing personally identifiable information and sensitive company data are accessed only by those persons or software programs that have been granted appropriate access rights. Includes guidelines and procedures such as password creation and management, user identification, and encryption.

With human-error being the most common reason for a cyber intrusion, employee security training is crucial to ensuring employees know how to spot a hacking attempt. We offer automated security awareness training as well as in-person annual company updates on the latest cyber threat landscape and updates to company policies. 23NYCRR-500.14b specifies that nonexempt companies provide regular cyber risk awareness training to all personnel.

23NYCRR-500 regulation compliance has been divided into transitional periods to allow for adoption of all parts, as well as annual certifications. We will provide you with deadline reminders, checklists for compliance, and any updates to the regulation.

The Compliance Navigator service includes the addition of new employees to trainings, weak link reporting, and policy acknowledgment reporting.

• Managed Advanced Antivirus, Antimalware, web security upgrade, and Antiransomware package. Our team of experts will provide all the software, licensing, management and updates for the PCs and servers as part of the service.
• Advanced endpoint security protection centrally managed by CXG
• Detects and protects your files from viruses, worms, rootkits, Trojans, and other threats.
• Flexible deployment methods (push over VPN, URL, Group Policy, or exe)
• Reporting on endpoint compliance, threat detection, and custom reports available
• Advanced options available: Exchange and other email security; Encryption; Data Loss Prevention (DLP)

Multifactor Authentication (MFA), such as the familiar 2-step verification option in Gmail, means authentication through verification of at least two of the following types of authentication factors: such as a password; a token or text message on a mobile phone; or a biometric characteristic. MFA helps you secure access to sensitive data, applications, and networks. Corporate MFA policies and implementation can be extremely complex given the increasing sophistication of hackers combined with lax policies, user’s lack of technical ability and issues such as employees using their own phones and laptops for work. CXG’s Managed Multifactor Authentication Solutions simplify company wide MFA management. MFA is required for non-exempt companies, 23 NYCRR-500.12.

We offer geographically-disparate versioned image-type backups that allow us to keep your company up and running even in the event of a large scale disaster, such as a hurricane, earthquake, etc. Further, should there be a successful ransomware incident, we can go "back in time" to a point before the encryption, removing the need to pay ransom to get your data back.

CX can provide both "data-in-transit" and "data-at-rest" solutions to help you comply with security needs.

Event reporting guidance and security event log included in plan. Forensics assistance provided on hourly basis.

Required by section 500.05 of 23 NYCRR-500. For nonexempt companies, continuous monitoring technology is not precisely defined in part because the manner of implementation will vary depending on infrastructure and the company’s cybersecurity program and in-house IT capacity. CXG works with you to develop a continuous monitoring program appropriate for your company.

Having a cybersecurity expert actively try to defeat and penetrate your security from the outside, seeing what information they can get access to. Of course, everything needs to be covered by NDA. In the absence of continuous monitoring services, DFS requires annual penetration testing for nonexempt companies, per 23 NYCRR-500.05.

Scanning all systems inside, and your networking equipment from outside, for known problems and methods of ingress. In the absence of continuous monitoring services, DFS requires bi-annual vulnerability testing per 23 NYCRR-500.05.

23 NYCRR-500.11 requires that by March 1, 2019 all companies subject to these requirements comply with the Third Party Service Providers Policy, which includes due diligence be undertaken to identify Company data accessible by Third Party Service Providers and assess risk, then implement requirements for that third party’s cybersecurity practices in order for them to do business with the Company. CXG’s Compliance Navigator portal can be used to track third party due diligence, set reminders and organize related documents.. Optional third party reviews available.