- Following months of feedback and different tweaks, the National Institutes of Standards and Technology (NIST) has finally issued its voluntary cybersecurity framework. The release completes the year-long NIST public-private effort and a key part of the Executive Order on “Improving Critical Infrastructure Cybersecurity” that President Obama announced in the 2013 State of the Union.
As it prepared the framework, NIST put together feedback, insight and best practices from different sectors, including healthcare thought leaders such as the American Hospital Association (AHA). According to Lisa Sotto, head of the global privacy and data security practice at Hunton & Williams, the voluntary framework can be beneficial to healthcare organizations looking to shore up their current frameworks.
I see this as being a significant driver. Healthcare organizations obviously already have to comply with regulations such as HIPAA, so that’s their primary focus will be on a mandatory set of standards. However, this does provide a very good framework for considering cybersecurity, risk and management within an organization. Any CISO worth his or her salt will focus hard on this and make a determination as to the particular sections in this document that are particularly helpful.
Designed to be a roadmap that organizations with different types of needs (some are more advanced than others), organizations can use each of the Framework components (the Framework Core, Profiles, and Tiers) to remind users of the link between business drivers and cybersecurity activities. Further, the Framework also offers guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities, according to the release.
Framework Core – A set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped by five functions – Identify, Protect, Detect, Respond, Recover – that provide a high-level view of an organization’s management of cyber risks. “I think the Framework core really follows the timeline of managing security within an organization with the five functions,” Sotto said. “I think that’s a useful way of looking at cybersecurity.”
Profiles – These can help organizations align their cybersecurity activities with business requirements, risk tolerances, and resources. Companies can use the Profiles to understand their current cybersecurity state, support prioritization, and to measure progress towards a target state.
Tiers – Tiers can provide a mechanism for organizations to view their approach and processes for managing cyber risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs, and its integration into an organization’s overall risk management practices.
NIST framework privacy considerations
Another interesting area is the privacy piece, which had been contained in Appendix B, has been replaced with a reasonably short discussion about privacy issues that should be considered. Perhaps the most important piece in terms of privacy, Sotto said, is regarding having a process in place to assess how and when personal information is shared. “NIST has said this is a work in progress because it was so different in the draft and will certainly evolve from here,” she said.