In late October, the U.S. National Institute of Standards and Technology (NIST) released its Preliminary Cybersecurity Framework. Although a U.S. standards-setting body, NIST is influential and is looked to as a trendsetter in security, cloud computing and other IT standards.
This Framework is voluntary and provides guidance on managing cybersecurity risk for operators of critical infrastructure (e.g., power generation, transportation and telecommunications). President Obama directed that the Framework be developed to encourage these operators to manage cybersecurity risks with as much rigour as they manage financial, safety and operational risks. This is a recurrent theme in recent thinking about cybersecurity.
Overview of the Preliminary Cybersecurity Framework
The Framework leverages many existing industry standards and is designed to complement, rather than replace, an organization’s existing practices. It is a risk-based approach that comprises three essential components:
1) The Framework Core consists of five functions (identify, protect, detect, respond and recover), which are then subdivided into categories and subcategories. Each subcategory refers to industry standards, guidelines and best practices that organizations can adhere to.
2) The Framework Profile is a tool used to help organizations reduce cybersecurity risk. An organization is expected to create a “Current Profile” of its cybersecurity risk, which is compared against its desired “Target Profile”. The gaps between the two profiles indicate areas for improvement.
3) The Framework Implementation Tiers describe the sophistication of an organization’s risk-management practices. The classification regime ranges from Tier 1(Partial) to Tier 4 (Adaptive) – the higher the tier number, the more mature an organization’s cybersecurity risk-management practices are.
The Framework in Practice
Applying the essential components mentioned above, the Framework recommends the following steps for creating or improving a cybersecurity program:
Step 1: Identify the organization’s objectives, assets, regulatory requirements and overall risk approach.
Step 2: Create a Current Profile of the organization’s cybersecurity risk using the Framework Core.
Step 3: Conduct a risk assessment of the organization’s cybersecurity risks.
Step 4: Create a Target Profile of the organization’s cybersecurity risk.
Step 5: Determine, analyze and prioritize the gaps that exist between the Current Profile and the Target Profile.
Step 6: Implement an action plan to minimize or eliminate the gaps between the Current Profile and the desired Target Profile.
On October 29, NIST commenced the start of a 45-day public comment period on its Framework. After the collection and analysis of public feedback, NIST plans to release the official Framework in February 2014. The Framework is part of, and should be considered in the context of, a heightened and broad response to cybersecurity for businesses, industry and regulatory bodies. This topic should be on every enterprise’s radar.
Prepared with assistance from Sam Ip