Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
National Institute of Standards and Technology Publishes New Guidance on Privacy Controls
On December 16, the NIST announced the release of its new guidance on assessing the security and privacy safeguards for federal information systems and organizations. The updated guidance will be used by government IT security professionals to “assess a wide range of software configurations, physical security measures and operating procedures meant to safeguard information systems from both chance failures and hostile attacks.” The new guidance complements the NIST’s Security and Privacy Controls for Federal Information Systems and Organizations catalogue.
NIST Releases Final Cybersecurity Framework
On February 12, the Obama Administration released the Cybersecurity Framework prepared by NIST, as called for by Executive Order 13636 issued by President Obama one year ago. The Framework organizes best practices regarding cyber risks into three components—the Framework Core, Profiles and Tiers—each of which “reinforces the connection between business drivers and cybersecurity activities.” The Framework Core component is described as a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped into five functions—Identify, Protect, Detect, Respond, and Recover—which provide a high-level view of an organization’s management of cyber risks. The second component, Profiles, is designed to assist organizations in aligning their cybersecurity activities with business requirements, risk tolerances, and resources. Finally, the Tiers component provides a mechanism for organizations to view their approach and processes for managing cyber risk. The Department of Homeland Security has established a voluntary program intended to increase awareness and use of the Framework to help organizations of all sizes manage cybersecurity risks and improve security and resilience of critical infrastructure. NIST hopes the Framework will serve as a model for international cooperation on strengthening critical infrastructure cybersecurity. NIST will continue to update and improve the Framework as the industry provides feedback on implementation. NIST also issued a Roadmap that discusses its next steps with the Framework and identifies key areas of cybersecurity development, alignment, and collaboration.
NIST Cybersecurity Framework Will Not Include Privacy Standards Appendix
On January 15, NIST updated the status of its efforts to finalize the voluntary Cybersecurity Framework directed by President Obama’s Executive Order 13636. According to the update, NIST expects to publish the final framework on February 13, 2014, but the initial final version will not include an appendix with specific privacy standards. Citing insufficient support from stakeholders, NIST instead will include an alternative methodology that it believes will better allow organizations to incorporate general privacy principles when implementing a cybersecurity program.
NIST Releases Preliminary Cybersecurity Framework
On October 22, the National Institute of Standards and Technology (NIST) released its Preliminary Cybersecurity Framework pursuant to President Obama’s Executive Order 13636 title Improving Critical Infrastructure Cybersecurity. The Preliminary Framework seeks to help critical infrastructure owners and operators reduce cybersecurity risks through voluntary best practices. The financial services sector is one of the many sectors identified as a critical sector, and NIST notes that the Preliminary Framework can be applied by organizations beyond those contemplated by the Executive Order. The Preliminary Framework outlines steps that can be customized to various sectors and adapted by organizations of any size while providing a consistent approach to cybersecurity. It offers a common language and mechanism for organizations to determine and describe their current cybersecurity posture, as well as their target state for cybersecurity. The Preliminary Framework is intended to help all organizations identify and prioritize opportunities for improving cybersecurity risk management. NIST will accept public comments for 45 days, will hold a workshop on the Preliminary Framework on November 14 and 15 at North Carolina State University, and will release the finalized framework in February 2014, as required by the Executive Order.
NIST Releases Draft Cybersecurity Framework
Recently, the National Institute of Standards and Technology (NIST) released a discussion draft of its preliminary cybersecurity framework. Under an Executive Order issued earlier this year, NIST is tasked with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. The discussion draft framework provides a uniform guide for developing robust cybersecurity programs for organizations. It provides a common structure for managing cybersecurity risk, is intended to help organizations identify and understand their dependencies on business partners, vendors, and suppliers, and is designed to facilitate coordination of cybersecurity risk within industries. The Framework places cybersecurity activities into five functions – identify, protect, detect, respond, and recover – and urges organizations to implement capabilities in each area. NIST released the draft in advance of the Fourth Cybersecurity Framework workshop on September 11-13, 2013, at the University of Texas at Dallas. It also is accepting comments via email.
White House Outlines Potential Cybersecurity Incentives
On August 6, the White House released proposed incentives to drive participation in the cybersecurity program framework under development by the National Institute of Standards and Technology. Both the framework and the incentives were directed by an Executive Order (EO) issued earlier this year by President Obama. The administration notes that while some of the proposed incentives can be adopted soon after the voluntary framework is established, others will require legislative action. The policy options under consideration include, among others, (i) encouraging cybersecurity insurance, (ii) offering critical infrastructure grants, (iii) limiting liability of participating companies, (iv) streamlining regulations, and (v) providing public recognition.
NIST Releases Minor Updates to Digital Signature Standard
On July 23, the National Institute of Standards and Technology released a revised digital standard used to ensure the integrity of electronic documents and the identity of the signer. The revised standard includes no major changes, but does update the standard to align it with other publications so that all NIST documents offer consistent guidance regarding the use of random number generators. Another revision concerns the use of prime number generators, which requires random initial values for searching for prime numbers.
NIST Releases Draft Outline of Cybersecurity Framework
On July 2, the National Institute of Standards and Technology (NIST) released a draft outline of a framework to improve the cybersecurity of certain critical infrastructure. It proposes a core structure for the framework and includes a user's guide and an executive overview that describes the purpose, need, and application of the framework in business. Under an Executive Order issued earlier this year, NIST is tasked with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. It solicited and recently analyzed public comments about the voluntary framework. Based on certain comments that emphasized the importance of executive involvement in managing cyber risks, the framework is designed to help business leaders evaluate how prepared their organizations are to deal with cyber threats and their impacts. NIST also released a draft compendium of existing standards, practices, and guidelines to reduce cyber risks to critical infrastructure industries. It plans to publish the official draft Cybersecurity Framework for public comment in October 2013.
NIST Issues Mobile Device Security Guidelines
On June 25, the National Institute of Standards and Technology (NIST) released a mobile device management guide to help federal agencies centrally manage the security of mobile devices. While the NIST document was developed for use by federal agencies, the device management principles may be applicable to other organizations facing similar security concerns. The guide focuses on smart phones and tablets and provides recommendations for selecting, implementing, and using centralized management technologies. It also explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles. The recommendations aim to address security issues related to both organization-provided and personally-owned (“bring your own device”) mobile devices.
NIST Seeks Comments on Cloud Computing Security Document
On June 11, the National Institute of Standards and Technology (NIST) published a draft security document that provides a comprehensive security model to supplement other NIST efforts to develop a standard vocabulary and implementation framework for the integration of cloud-based applications across the government. NIST will accept comments on the draft document through July 12, 2013. Although NIST’s resources are developed for use by federal agencies, they can influence other policy decisions and may serve as a resource for private firms seeking to understand the benefits and risks of cloud technology.