The frontier of cybersecurity has been relatively ungoverned territory. But with so many data breaches occurring in the recent past, the National Institute of Standards and Technology (NIST) has stepped forward to in an attempt to bring some order to this lawless land.
NIST has released a document titled “Framework for Improving Critical Infrastructure Cybersecurity.” This document, released on Feb. 12, 2014, is pursuant to Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” The executive order calls for the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks, promoting safety, security, business confidentiality, privacy and civil liberties.
The Framework is not a one-size-fits-all approach. It recognizes that organizations have unique risks – different threats, vulnerabilities, and risk tolerances – and how they implement the practices in the Framework will vary. Organizations can determine the activities that are important to critical service delivery and prioritize investments in cybersecurity accordingly. The Framework is aimed at reducing and better managing cybersecurity risks and can assist organizations in incorporating privacy and civil liberties as part of a comprehensive cybersecurity program, hopefully taming the wild west of cybersecurity.
The Framework consists of three parts:
- Profile, and
- Implementation tiers.
The Core consists of five continuous and concurrent functions (identify, protect, detect, respond, and recover), underlying categories, subcategories, and informative references that provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.
Profiles can help an organization align its cybersecurity activities with its business requirements, risk tolerances and resources, as well as identify opportunities for improving cybersecurity posture by comparing the “current” profile (the “as is” state) with a “target” profile (the “desired” state).
The Tiers characterize an organization’s practices over a range from partial (Tier 1) to adaptive (Tier 4), reflecting a progression from informal, reactive responses to agile, risk-informed approaches.
The Framework is technologically neutral and relies on a variety of existing standards, guidelines, and practices. Building from those, the Framework provides a common taxonomy and mechanism for organizations to describe their current and desired states of cybersecurity posture, identify and prioritize opportunities for improvement, and assess progress toward the target state. The Framework complements, and does not replace, an organization’s risk management process and cybersecurity program. The Framework also provides a general set of considerations and processes for considering privacy and civil liberties implications in the context of a cybersecurity program.
While voluntary, the Framework may be a very useful tool in managing and communicating cybersecurity posture and risks for any organization that depends on technology for critical business processes. Following the Framework can be a huge step forward to safeguarding your institution against the outlaws of cybersecurity.