In the United States, to help the US’s financial, energy, health care and other critical systems better protect their information and physical assets from cyber attack, the federal Commerce Department’s National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity.
The authorities say the framework provides a structure to create and assess cybersecurity work. NIST will present on the US cybersecurity framework at the US-based information security industry body ISACA’s 2014 North America Computer Audit, Control and Security (CACS) Conference in April, and ISACA will release implementation guidance related to it later in 2014.
“COBIT is now serving an important role supporting the nation’s cybersecurity direction,” said Meenu Gupta, CISA, CISM, president of Mittal Technologies and a member of ISACA’s Government and Regulatory Advocacy Committee. “Leaders from around the world collaborated to ensure COBIT 5 is timely, relevant, and practical for today’s enterprises, and NIST’s inclusion of it further demonstrates that COBIT can truly transform an enterprise’s cybersecurity initiatives.
“ISACA assisted in the development of the framework and participated in all of the NIST development workshops to really understand the new framework and its potential impact on critical infrastructure organizations and ISACA members around the world. Given its widespread use and proven value as a governance framework, COBIT was considered by a number of NIST workshop attendees to be a very solid and globally applicable source for inclusion within the framework.”
In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity. That order called for a voluntary, risk-based Cybersecurity Framework. The resulting framework has come through public-private collaboration. The aim; to address and manage cyber risk based on business needs, without regulation.
Under Secretary of Commerce for Standards and Technology and NIST Director Patrick D Gallagher said: “The framework provides a consensus description of what’s needed for a comprehensive cybersecurity programme.
“It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business.”
The framework allows IT users—regardless of size, cyber risk or sophistication—to apply the principles of risk management one the security and resilience of critical infrastructure.
The framework document is labeled “Version 1.0” and is described as a “living” document that will need to be updated.
The three main elements described in the document are the framework core, tiers and profiles. The core presents five functions—identify, protect, detect, respond and recover— for an organisation to shape its cybersecurity. The tiers describe the degree to which cybersecurity risk management meets goals set out in the framework and “range from informal, reactive responses to agile and risk-informed.” The profiles help you progress from a current level of cybersecurity sophistication to a target improved state that meets business needs.
“The development of this framework has jumpstarted a vital conversation between critical infrastructure sectors and their stakeholders,” said Gallagher. “They can now work to understand the cybersecurity issues they have in common and how those issues can be addressed in a cost-effective way without reinventing the wheel.”
NIST also released a “Roadmap” document to accompany the framework. It says NIST will continue to serve as a convener and coordinator to work with industry and other government agencies to help organizations understand, use and improve the framework. This will include leading discussions of models for future governance of the framework, such as potential transfer to a non-government body. Force economic security and improve our quality of life. To learn more about NIST, visit www.nist.gov
Comment
Paul Martini, CEO at iboss Network Security says: “The creation of a cyber security framework is a great starting point. However, it will be the ability to fundamentally change the way the security posture across each of the five functions – Identify, Protect, Detect, Respond, Recover – that will be the silver bullet to turning the tide on cyber security threats to national critical infrastructure. Hopefully, this framework will inspire debate globally over the how.
“Organisations need to recognise that technology enhancements driven by the likes of DropBox, Apple, and Google have fundamentally changed how our networks operate and how we interact with data. It has meant that we need to revisit many of the legacy security architecture in our networks to assess if they are capable of adapting to these new technologies.
“We have to accept that the old way to approaching security is hopelessly behind in being able to address some of the most acute cyber problems.” Visit www.iboss.com
