NIST publishes draft Cyber Risk Framework
The US National Institute of Standards and Technology (NIST) has now released its draft of the delayed cyber security framework recommendation for Information Technology best practices.
The document which was produced in response to President Obama’s executive order in February 2013 details the result of the work undertaken within industry are being adopted by organisations aimed at improving the cyber security of critical infrastructure organisations.
The framework, though voluntary, provides organisations with direction on how best to manage and address the complex field of cyber risk and mirrors other work underway in the UK and internationally.
Recently, the U.K.’s Department for Business, Innovation and Skills (BIS) engaged in an extensive period of industry consultation through its “Call for Views and Evidence on Cyber Security” with submissions put forward by many of the industries leading bodies including CRIF earlier this month.
While critics in the US points to the framework as an indicator of possible future government regulation, NIST Director Patrick Gallaher has dismissed this view saying “the intention is quite emphatic and explicit in the executive order; it’s to provide an approach to disseminate best practices”. Gallaher pointed to the wide consensus among security experts that consistency and the application of best practices were significant to establish effective Cyber Risk controls.
The draft framework produced by NIST bears a strong similarity to many of the submissions made in the UK to BIS. In particular there is a strong emphasis on the importance of risk management running through the framework that mirrors the submission made by CRIF and the Cross Industry Working Group that developed the Cyber Security Organisational Risk (CSOR) Framework.
Other similarities include the flexibility offered through the reuse of current “best practice” management systems to achieve integrated management processes that fit with the current operational need and processes available to organisations. Through a relatively straight forward process companies can improve their cyber security by mapping existing procedures and protocols used by the business onto the requirements identified within these developing frameworks. This can reduce the cost of implementation and the time taken to embed effective controls within existing systems.
An important factor identified in the US and internationally is on the need for collaboration and information sharing on evolving threats to help direct and accelerate the planning of measures more widely across business and government. Here there are a number of issues that need to be addressed regarding legal considerations, such as privacy and confidentiality, and needs to be part of a wider industry debate.
You can download a copy of the draft NIST framework by clicking on the logo below: