Protiviti just published an interesting Flash Report about cybersecurity measures for critical infrastructure in the United States. Our report stems from a preliminary cybersecurity draft framework that the National Institute of Standards and Technology (NIST) released last month for comment. NIST developed this framework in response to an Executive Order from President Obama calling for increased cybersecurity of our nation’s infrastructure , followed up by numerous workshop discussions and other stakeholder engagement activities conducted by NIST to solicit feedback and recommendations.
As detailed in our Flash Report, NIST’s preliminary cybersecurity draft framework includes three components:
The framework core – This component is a compilation of cybersecurity activities and references common across critical infrastructure sectors. The core presents standards and best practices in a manner that allows for communication and risk management across the organization from the senior executive level to the implementation/operations level. It consists of five functions providing a high-level, strategic view of an organization’s management of cybersecurity risk – identify, protect, detect, respond and recover. It also identifies underlying key categories and subcategories for each of these functions, and matches them with informative references such as existing standards, guidelines and practices for each subcategory. To illustrate, the “protect” function includes the following categories: data security, access control, awareness and training, and protective technology. The framework drills down from there.
The framework implementation tiers – This component demonstrates the implementation of the framework’s core functions and categories and indicates how cybersecurity risk is managed. These tiers range from “partial” (Tier 0) to “adaptive” (Tier 3), with each tier building on the previous tier.
The framework profile – This component conveys how an organization manages cybersecurity risk in each of the framework’s core functions and categories by identifying the subcategories that are implemented or planned for implementation. Profiles are used to identify the appropriate goals for an organization or for a critical infrastructure sector and to assess progress against meeting those goals.
The three framework components are designed to assist organizations with critical infrastructure by:
(1) Providing industry and government with common cybersecurity taxonomy
(2) Establishing goals and targets
(3) Identifying and prioritizing opportunities for improvement
(4) Assessing progress
(5) Improving communications between stakeholders
You can read more here.