To help organizations charged with providing the nation's financial, energy, health care and other critical systems better protect their information and physical assets from cyber attack, the Commerce Department's National Institute of Standards and Technology (NIST) recently released the Framework for Improving Critical Infrastructure Cyber security. The framework provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cyber security programs.
The framework is expected to be the first step in a continuous process to improve the nation’s cyber security landscape after President Obama issued Executive Order 13636: Improving Critical Infrastructure Cyber security in February 2013. The order called for the development of a voluntary, risk-based cyber security framework that provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses.
The framework allows organizations—regardless of size, degree of cyber risk or cyber security sophistication—to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.
Organizations can use the framework to determine their current level of cyber security, set goals for cyber security that are in sync with their business environment and establish a plan for improving or maintaining their cyber security. It also offers a methodology to protect privacy and civil liberties to help organizations incorporate those protections into a comprehensive cyber security program.
The three main elements described in the document are the framework core, tiers and profiles. The core presents five functions—identify, protect, detect, respond and recover—that, taken together, allow any organization to understand and shape its cyber security program. The tiers describe the degree to which an organization's cyber security risk management meets goals set out in the framework and "range from informal, reactive responses to agile and risk-informed." The profiles help organizations progress from a current level of cyber security sophistication to a target improved state that meets business needs.
NIST also released a "Roadmap" document (available here) to accompany the framework that lays out a path toward future framework versions and ways to identify and address key areas for cyber security development, alignment and collaboration. NIST will continue to serve as a convener and coordinator to work with industry and other government agencies to help organizations understand, use and improve the framework. This will include leading discussions of models for future governance of the framework, such as potential transfer to a non-government organization.
In the wake of recent high-profile data breaches, including Target and Neiman Marcus, protecting your company’s sensitive data has become a national talking point. Contact ECBM, LP today to discuss how you can better safeguard your assets.