National cybersecurity framework released — has your organisation considered the implications? - .PDF file.
By Catherine D Meyer, Meighan E O’Reardon, Deborah S Thoren-Peden and Amy L Pierce
On 12 February 2014, the National Institute of Standards and Technology (NIST) released the final version of its Framework for Improving Critical Infrastructure Cybersecurity and the companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity. The final version is the result of a year-long development process that included the release of multiple iterations for public comment and working sessions with the private sector and security stakeholders. The most significant change from previous working versions is the removal of a separate privacy appendix criticised as being overly prescriptive and costly to implement in favour of a more general set of recommended privacy practices that should be ‘considered’ by companies.
The cybersecurity framework marks an important step for US cybersecurity policy after an executive order from the Obama administration called for its creation in February 2013. While use of the cybersecurity framework is voluntary, the federal government has been actively exploring various measures to incentivise participation both universally and on a sector-by-sector basis. While the framework is focused on the 16 sectors identified as critical infrastructure, companies outside those areas can use the framework in their risk assessment and enterprise security planning.
The cybersecurity framework is a risk management tool to assist companies with assessing the risk of cyber attack, protecting against attack and detecting intrusions as they occur. According to NIST, it complements, but does not replace, an organisation’s existing risk management processes and cybersecurity programme. It is organised into three parts — the Framework Core, the Framework Implementation Tiers and the Framework Profile. The framework was developed by leveraging existing cybersecurity standards, guidelines and practices. Organisations are encouraged to use it as a tool to continuously assess and improve (where appropriate) cybersecurity practices…
Click on the link below to read the rest of the Pillsbury briefing.