The National Institute of Standards and Technology (NIST) has finalised its cybersecurity framework for the US critical infrastructure community. The voluntary guide is intended to make financial, energy, healthcare and other critical industries more resistant to cyberattacks.
Commissioned by President Obama a year ago, the Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 attempts to help businesses better manage cyber risk without additional regulatory requirements.
The framework offers a set of core actions companies can take to address cybersecurity risk:
- Identification: Develop the understanding to manage cybersecurity risk to systems, assets, data and capabilities.
- Protection: Implement appropriate safeguards to ensure delivery of critical infrastructure services.
- Detection: Identify a cybersecurity event.
- Response: Take action after a cybersecurity event is detected.
- Recovery: Restore the capabilities of critical infrastructure that were impaired by a cybersecurity event.
The framework also provides implementation tiers which characterise an organisation’s cybersecurity risk management practices over a range, from partial (Tier 1) to adaptive (Tier 4). “These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed,” NIST wrote.
The third part of framework consists of profiles that allow an organisation to align its cybersecurity activities with its business requirements, risk tolerances and resources. The profiles should help companies progress from their current level of cybersecurity to their target level.
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and NIST Director, said in a statement that the framework provides a consensus description of what is needed for a comprehensive cybersecurity program. “It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk,” he said. “It will help companies prove to themselves and their stakeholders that good cybersecurity is good business.”
NIST also released a roadmap to accompany the framework. The roadmap lays out a path toward future framework versions and ways to identify and address key areas for cybersecurity development, alignment and collaboration.
The framework has received praise from several organisations. Craig Silliman, Verizon senior vice president, public policy for Verizon, applauded the Obama Administration for bringing together a wide range of stakeholders to create “a useful tool for companies as they consider the right mix of cyberdefenses to protect themselves and their customers.”
Others had mixed reactions. (ISC)², a large nonprofit membership body of certified information and software security professionals, expressed its support for the framework but acknowledged that implementation of its practices could be a problem. “The experts at NIST have put together a comprehensive, yet flexible, plan for organisations to effectively manage cyber risk under the increasing pressure of the nation’s evolving threat landscape,” said W. Hord Tipton, CISSP, executive director of (ISC)² and former CIO for the U.S. Department of Interior. “Unfortunately, the lack of qualified information security professionals with the skills and knowledge to create, understand, and implement such programs remains an area of improvement that must be further addressed.”
Paul Rosenzwieg, founder of Red Branch Consulting PLLC and senior advisor to The Chertoff Group, questioned the framework’s effectiveness. He wrote on his blog that the framework will likely drive the private sector toward the NIST security model through common law liability. “If we layer on top of that other Federal incentives (like grants, or preferential access to threat and vulnerability information) the pressure to conform will be significant,” he noted. “And, yet, the security model is very ‘status quo’ and probably will not significantly improve security at the top end of the threat spectrum.”
GTNews asks Pugsley about what advice she would give to treasurers dealing with mergers and acquisitions, what the key challenges for her year ahead will be and how she is selecting a treasury management system (TMS).
The US money market fund reforms came into effect in 2016 and are already dramatically shaping US fund industry with investors flooding out of prime funds and into government securities. While the reforms are similar, they are not the same. GTNews interviews Yeng Bulter, global head of the cash business at State Street Global Advisors on the differences.
Tim de Knegt, strategic finance and treasury manager for the Port of Rotterdam, discusses how he is using blockchain, the challenges he will face in his role of treasury over the next 12 months and the advice he would give to someone starting out their career in treasury.
Due to the low interest rate environment and Basel III regulation many corporate treasurers, who may have in the past been very reliant on the banking sector to provide them with cash management solutions, have been forced to explore alternative options as banks have been refusing short dated cash deposits.