09 Apr Developing a Cybersecurity Framework

In February 2013, President Obama issued Executive Order 13636 on Improving Critical Infrastructure Cybersecurity. This Order calls for the development of a framework of industry standards and best practices to help organizations manage increasing cybersecurity risks. On February 12, 2014, the National Institute of Standards and Technology (NIST) responded to the President’s order with its Cybersecurity Framework.

The Cybersecurity Framework, which was created in collaboration with the private sector, focuses on using business drivers to guide cybersecurity activities. It is a risk-based approach that uses common language to address and manage cybersecurity risks in a business-specific, cost effective way. This voluntary framework is made up of three parts, each of which reinforces the connection between business drivers and cybersecurity activities.

The Framework Core provides a set of activities designed to achieve specific cybersecurity outcomes. The core is made up of five broad functions that help organizations express their management of cybersecurity risks.

• Identify: Develop organizational understanding to manage cybersecurity risks to systems, assets, data and capabilities.
• Protect: Develop and implement appropriate safeguards to ensure delivery of critical infrastructure services.
• Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
• Respond: Develop and implement appropriate activities to respond to a cybersecurity event.
• Recover: Develop and implement appropriate activities to maintain operations and restore capabilities or services impaired by a cybersecurity event.

Framework Implementation Tiers provide context on how organizations view cybersecurity risks and the processes in place to manage that risk. Tiers are used to describe an organization’s commitment and sophistication in managing cybersecurity risks. They also describe the extent to which cybersecurity risk management is informed by business needs and integrated into an organization’s overall risk management practices.

The four tiers reflect a progression from informal, reactive responses to cybersecurity risks to approaches that are agile and risk-informed.

• Tier 1 (Partial)
• Tier 2 (Risk Informed)
• Tier 3 (Repeatable)
• Tier 4 (Adaptive)

Determining which tier applies to an organization depends on current risk management practices, threat environment, regulatory requirements, business objectives and organizational constraints. However, the NIST notes that tiers do not represent maturity levels, so progression to higher tiers is encouraged when it would reduce cybersecurity risks in a cost effective manner.

The Framework Profile is the alignment of an organization’s cybersecurity framework with its business requirements, risk tolerance and resources. Profiles enable organizations to establish a roadmap for reducing cybersecurity risk that meets organizational goals, implements best practices, considers regulatory requirements and reflects priorities.

Profiles can be used to describe an organization’s current state or target state of cybersecurity activities. Comparing current and target profiles can be used to identify gaps in an organization’s cybersecurity risk management practices. Given the need for flexibility, the NIST did not impose or require a specific form or format that must be followed when creating and implementing a profile.

It is important to remember that the Cybersecurity Framework is voluntary and that, according to the NIST, it will not place additional regulatory requirements on businesses. Nevertheless, it should serve as a reminder that data security breaches can happen to any organization.

As we have seen, preventative measures are not foolproof, so organizations should also consider protecting against data security breaches with insurance. Given the complexity of the risk, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained.

If you would like to learn more about insuring against data security breaches, contact us.

If you would like to learn more about preventing data security breaches, take our online course Information Risk Management: Strategies for Preventing and Mitigating Information Security Breaches

If you would like to subscribe to our newsletters please click here.