With cyber threats the new normal, organizations must put NIST best practices into play
Cybersecurity framework gives businesses of all sizes, sectors privacy, protection for internet traffic
By Byron Acohido, ThirdCertainty
Put aside the cyber threats, which continue to worsen. All any company decision-maker needs to do is pay heed to the intensifying regulatory environment to understand that network security has become a mission-critical operational issue.
Consider that the Colorado Division of Securities is implementing 90 pages of new rules to clarify what financial “broker-dealers” and investment advisers must do in order to protect information stored electronically.
That’s on top of the New York State Department of Financial Services enforcing new cybersecurity rules for financial services firms that wish to do business in the Empire State. And, of course, Europe is rolling out new privacy rules known as the General Data Protection Regulation, which will affect more than 4,000 U.S. companies doing business in Europe, including many small and midsize businesses.
Related article: Europe’s new privacy rules unaffected by Brexit vote
And let’s not overlook looming compliance standards covering data privacy and security, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) .
I recently sat down with Edric Wyatt, security analyst at CyberScout to discuss the first step any organization—of any size and in any sector—can take to become more security mature: Get cozy with the National Institute of Standards and Technology’s risk management framework set forth in its NIST 800 series of documents. (Full disclosure: CyberScout underwrites ThirdCertainty.) Here are a few takeaways from our discussion:
NIST is foundational. NIST 800 is composed of Uncle Sam’s own computer security policies, procedures and guidelines, which have been widely implemented in the Department of Homeland Security, the Department of Defense and most big federal agencies. New York state’s new rules for financial firms incorporate the NIST framework, and the U.S. Food and Drug Administration, likewise, refers to the NIST framework in guidance for medical device manufactures.
NIST is proactive. Derived from extensive public and private research, NIST 800 exists as a public service. It lays out cost-effective, proactive steps to improve any organization’s digital security posture. Implementation materials are available at no cost to organizations of all types and sizes, small- and medium-size companies, educational institutions and state and local government agencies.
NIST is flexible. At the end of the day, the NIST series guides organizations to shaping security policies and security controls that are flexible, adaptable—and effective. One vital component is senior management buy-in. New policies can and should be implemented and tweaked in a methodical, measurable manner, and championed by senior leaders. The goal should not be just tightening security, Wyatt says, but also making one’s organization more reliably productive. A continual feedback loop can help keep controls alive and vital, he says.
For a deeper drill down on our conversation, please view the accompanying video.
More stories related to the NIST guidelines:
Government continues to refine guidelines for creating more secure networks
Steps for using Uncle Sam’s framework for cybersecurity
Few adopt NIST cybersecurity guidelines, but that could change