On Deck: The Cybersecurity Framework

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/on-deck-cybersecurity-framework-a-6488

The soon-to-be-issued cybersecurity framework is not, as some maintain, a
federal government mandate for how the nation's privately owned critical
infrastructure operators must secure their information systems. Rather,
it's designed to be a catalog of tools to help organizations develop
information security protection programs.

Scheduled to be released on Feb. 13, the creation of the framework was a
collaborative effort of the government and the private sector. It's
intended for voluntary use in such critical infrastructure sectors as
agriculture, energy, healthcare, financial services and transportation, to
name a few.

The cybersecurity framework consists of best practices used by the
government and businesses to reduce risk to critical infrastructure; it
relies on existing international standards, practices and procedures that
have proven to be effective.

"It's a good table of contents to existing standards and practices, a
reflection of what's going on in industry," says Chris Blask, chairman of
the Industrial Control Systems Information Sharing and Analysis Center, one
of hundreds of groups and individuals that helped formulate the framework.

Building off standards, guidelines and practices listed in the document,
the framework furnishes a common approach for organizations to describe
their current and target cybersecurity postures, identify and prioritize
prospects for improving IT security through risk assessment, evaluate
progress and foster communication among stakeholders.

At the core of the framework are five functions - identify, protect,
detect, respond and recover - which provide a high-level, strategic view on
how an organization manages risk. The core is divided into function groups
such as asset management, access control and detection processes.

No Mandate

The framework is voluntary; infrastructure owners cannot be compelled to
adopt it. Indeed, a significant number of individuals and organizations
formally commenting on the framework stated that its voluntary nature
should be reinforced throughout the document.

Often branded as the NIST framework because President Obama last year
ordered the National Institute of Standards and Technology to work with the
private sector to develop the guide, it incorporates hundreds of ideas
presented by the private sector.

"This is one of the better examples of public-private sector cooperation
we've seen," says Paul Smocer, president of BITS, the technology policy
division of the Financial Services Roundtable. "NIST had not only offered a
lot of opportunities to the private sector to engage in the development of
the framework, but in reality, the private sector was engaged."

Obama proposed the cybersecurity framework in his 2013 State of the Union
address to help mitigate growing cyberthreats to the nation's critical
infrastructure. He signed an executive order last February designating NIST
to shepherd the creation of the framework (see Obama Issues Cybersecurity
Executive Order).

NIST held five workshops as well as well as numerous meetings, webinars and
informal sessions to gather feedback from stakeholders in government, the
private sector and academia. NIST, which estimates more than 3,000 people
participated in the process, solicited comments from stakeholders and
received nearly 2,500 suggestions on what should be contained in the
framework.

A Shift on Privacy

One of the more influential suggestions came from Harriet Pearson, the
former chief privacy officer of IBM, who wrote that the privacy guidance in
the preliminary draft of the framework would discourage companies from
voluntarily adopting it (see Reworking Framework's Privacy Approach). NIST
had based the proposed privacy provisions on language culled from its
guidance designed for federal government agencies that does not reflect
private-sector consensus on privacy.

"While government agencies have to be held to a high bar as they conduct
their own cybersecurity efforts - because government is unique and
government has many powers industry does not have - the same standards and
rules that apply to government are not applicable to industry," says
Pearson, a partner in the law firm Hogan Lovells.

Also, Pearson contends, the privacy provisions incorporated in the
preliminary draft were too broad. Instead, she offered NIST an alternative
privacy methodology that addresses privacy as it relates to specific
cyber-activities, such as privacy concerns raised by continuous monitoring
or information sharing. NIST incorporated Pearson's methodology into the
framework.

Pearson says having the framework reflect industry consensus should help
encourage adoption by organizations that need to strengthen their IT
security.

Even those with sophisticated information security programs based on other
IT security frameworks could benefit from the plan emanating from NIST.

BITS's Smocer sees the cybersecurity framework helping the financial
services industry even though most banks and financial companies have had
sophisticated IT security programs in place for years. He says many banking
industry partners in other sectors provide needed services that could be
threatened if they don't implement an appropriate IT security program. "The
framework will help raise those folks to same level as we are and we'll all
be in much better shape," Smocer says.

The Cost Factor

Smocer's enthusiasm for the framework isn't shared by all.

The industry trade group Internet Security Alliance, in a paper published
to coincide with the release of the NIST framework, questions whether it's
cost-effective, a condition of the president's executive order. That's
important, the alliance says, because organizations, whether public or
private, consider cost when assessing risk.

"The cost-effectiveness requirement in the president's executive not only
makes imminent sense; it is fundamental to the long-term success of
voluntary adoption of the framework," the paper says.

Cost is on the mind of Joseph Rigby, chief executive of Pepco Holding, an
energy distribution company. Rigby, along with other top infrastructure
company executives, met with Obama late last year to discuss the framework
in the White House Situation Room (see Obama, CEOs Meet on Cybersecurity
Framework). He said Pepco would voluntarily adopt the framework, but added
that his firm would seek approval from state regulators to incorporate the
costs of adopting the framework in the rates it charges customers.

"It is important that the federal government and the states speak with one
voice on cybersecurity and support the recovery of the costs of protecting
critical infrastructure and information against the perpetrators of
cyber-attacks," Rigby says. "We expect these expenses to continue to rise
as standards evolve and new threats arise."

A Living Document

The costs to implement the framework, as well as other elements, such as
incentives to get companies to adopt the framework, won't appear in version
1.0 of the framework NIST is releasing Feb. 13.

"People have to realize that this is the beginning and not the end," says
Adam Sedgewick, the NIST executive overseeing the creation of the
framework. "It's a living document."

Over the next half year, NIST will sponsor workshops and other events to
help organizations adopt the framework and to review stakeholder
experiences with version 1.0 in order to improve the next iteration of the
guidance.

Sedgewick says implementing the framework alone cannot assure that an
organization's information systems will be secure. "The framework is
something that needs to be embraced by organizational culture instead of
something that's freestanding," he says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!