The existing requirement for penetration testing now includes assessments “from both inside and outside the information systems’ boundaries by a qualified internal or external independent party at least annually.”
There is a new requirement to conduct automated scans of information systems and a manual review of systems not covered by such scans to discover, analyze and report vulnerabilities at a frequency to be determined in the entity’s risk assessment.
There is a new requirement to have a monitoring process in place to be promptly informed of new security vulnerabilities and to timely remediate such vulnerabilities giving priority based on the risk they pose to the Covered Entity.
There are limits on user access privileges. For example, limiting user access to nonpublic information and privileged accounts to only those necessary to perform the user’s job, annually reviewing all user access privileges, terminating accounts when no longer necessary, promptly terminating access following user departures, and disabling or securely configuring all protocols that permit remote control of devices.
There is a new requirement to implement a written password policy that meets industry standards, to the extent passwords are used for authentication.
There is an updated requirement to using multi-factor authentication for any individual accessing any information systems of a Covered Entity, subject to certain limited exemptions.