From: BankInfoSecurity
Executives Given Key Role in Voluntary Framework
By Eric Chabrow
The cybersecurity framework, ordered by President Obama, will emphasize the importance of senior executives in managing programs to secure their enterprises’ information systems and assets, according to a draft of the cybersecurity framework released by the National Institute of Standards and Technology.
“By using this framework, these senior executives can manage cybersecurity risks within their enterprise’s broader risks and business plans and operations,” says the draft dated July 1, but made public a day later.
The cybersecurity framework, ordered by President Obama, will emphasize the importance of senior executives in managing programs to secure their enterprises’ information systems and assets, according to a draft of the cybersecurity framework released by the National Institute of Standards and Technology.
“By using this framework, these senior executives can manage cybersecurity risks within their enterprise’s broader risks and business plans and operations,” says the draft dated July 1, but made public a day later.
In February, Obama issued an executive order directing NIST, working with the private sector, to develop a framework to reduce cybersecurity risks that the mostly private operators of the nation’s critical infrastructure could adopt voluntarily
NIST concedes much more work must be done by the time the final version of the framework is issued next February. Among the areas NIST identifies that need to be addressed in the framework are privacy and civil liberties standards, guidelines and practices as well as helpful metrics for organizations to determine their cybersecurity effectiveness.
“We want to provide something that has flexibility, that can be implemented by different sectors,” Donna Dodson, chief of NIST’s computer security division, said in an interview with Information Security Media Group prior to the draft’s release [see Fulfilling the President’s Cybersecurity Executive Order]. “We want it to be specific in other ways so that we are sure we are working to reducing cybersecurity risks in the critical infrastructure.”
5 Core Cybersecurity Functions
The framework, according to the draft, will revolve around a core structure that includes five major cybersecurity functions, each with its own categories, subcategories and information references. The five functions include Know, Prevent, Detect, Respond and Recover.
The Know function, for instance, would include a category entitled “know the enterprise risk architecture” with subcategories of “understand corporate risk tolerance” and “identify risk assessment methodologies,” as well as others. An information reference, in this instance, would link to guidance such as NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations and ISO 31000: Risk Management.
The framework also will include three implementation levels that reflect organizational maturity in addressing cybersecurity. Incorporated into the framework will be a user’s guide to help organizations understand how to apply it as well as a compendium of informative references, existing standards, guidelines and practices to assist with specific implementation.
Framework as a Guide, Not Detailed Manual
NIST says the framework should not be seen as a detailed manual, but as a guide to help executives, managers and staff to understand and assess the cybersecurity capabilities, readiness and risks their organizations face, as well as identify areas of strength and weakness and aspects of cybersecurity on which they should productively focus.
Leave a Reply