Section 5-E.3 Definitions
Effective Date
Section 5-E.3 Definitions.
For the purposes of this Appendix the following terms shall have the indicated meaning:
(a) “Control” means any mechanism, safeguard, policy or security measure that is put in place pursuant to an implementation specification to satisfy the requirement for a security measure.
(b) “Compensating control” means any alternative measure that is put in place to satisfy the requirement for a security measure.
(c) “Cyber asset inventory” means an inventory of:
(1) operational technology assets that are reachable or accessible by a management, control, or communications protocol; and
(2) information technology assets that are physically or logically connected to operational technology.
(d) “Cybersecurity event” means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse a covered water system’s operational technology.
(e) “Cybersecurity incident” means a cybersecurity event or attack that, directly or indirectly:
(1) has an adverse impact on any operations of the covered water system that affect the ability of the covered water system to comply with the requirements of this Subpart; or
(2) has a reasonable likelihood of compromising any operations of the covered water system or any of its components; or
(3) actually or imminently jeopardizes the confidentiality, integrity, or availability of nonpublic information related to the covered water system, or results in loss or damage to the covered water system’s normal operations.
(f) “Cybersecurity vulnerability analysis” or “CVA” means the analysis of vulnerability to cyber attack that each covered water system shall conduct in accordance with Public Health Law section 1125(2)(k) and subdivision 5-1.33(c) of this Subpart.
(g) “Department” means the New York State Department of Health.
(h) “Information technology” means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, provided that information technology does not include operational technology.
(i) “Multi-factor authentication” means user identity authentication that requires a user to provide at least two of the following distinct factors for successful authentication:
(1) something the user knows; or
(2) something the user has; or
(3) something the user is.
(j) “Nonpublic information” means all electronic information that is not publicly available information and is:
(1) a covered water system’s business-related information, where compromise to its confidentiality, integrity, or availability would impact that system’s ability to comply with the requirements of this Subpart; or
(2) information determined by the covered water system to pose a security risk to the operation of the water system in accordance with subdivision 5-1.33(h) of this Subpart.
(k) “Operational technology” means hardware, software, and firmware that detect or cause changes in physical processes through the direct control and monitoring of industrial equipment, assets, processes, and events in the covered water system.
(l) “Principle of least privilege” means a security principle that restricts the access privileges of users, or processes acting on behalf of users, to the minimum necessary to accomplish assigned tasks.
(m) “User” means any employee, contractor, agent or other person that operates a covered water system and is authorized to access and use any operational technology and data of such covered water system.