by Stephen G. Smith
The long-awaited set of cybersecurity guidelines from the Department of Commerce’s National Institute of Standards and Technology (NIST) was released in February, and hopes are high that it will provide a model to help U.S. businesses cost-effectively develop and maintain tools to manage increasing cybersecurity risks.
The NIST’s Framework for Improving Critical Infrastructure Cybersecurity, born from President Obama’s Executive Order 13636, outlines voluntary best practices for use by not only financial institutions, but also other business sectors including government and healthcare. It was developed from existing international standards and practices that have proven successful. While not meant to be a one-stop shop, the framework serves as a flexible and effective starting point for helping organizations map out high-level risk management concepts and connect them with regulatory rules and guidance—including today’s chief regulatory yardstick, the FFIEC’s IT Examination Handbook.
In fact, this baseline framework is sure to weather periodic revisions, but the more it matures, the more effective it will be and the more likely it will inspire required regulatory standards, thereby fostering increased consistency between the different regulatory agencies.
While the framework as a whole guides institutions in identifying key risk management tactics, its Appendix A presents the Framework Core in an easy-to-navigate tabular format, listing common activities for managing cybersecurity risk. The tables are broken into sections—function, category, subcategory and informative references—each more specific than the last—that institutions can use to customize a cybersecurity risk management program. The informative references section can be particularly useful, because it comprises the same specific standards that regulators and examiners use, and provides solid ground upon which to build a program.
The framework also can be used to develop a basic checklist to compare against current processes and procedures. This allows financial institutions to create and refer to a baseline to help prioritize information security dollars. In addition, their compliance partner can perform an information security assessment to further ensure compliance.
Over the coming months, the NIST will hold workshops to help organizations utilize the framework as well as review the efficacy of this original version.
So time will tell if enough organizations use this framework to help foster a heightened cybersecurity defense strategy for the nation as a whole. If you’re unsure of your level of risk management, the framework is a good place to start.
