In late October, the U.S. National Institute of Standards and
Technology (NIST) released its
Preliminary Cybersecurity Framework. Although a U.S.
standards-setting body, NIST is influential and is looked to as a
trendsetter in security, cloud computing and other IT
This Framework is voluntary and provides guidance on managing
cybersecurity risk for operators of critical infrastructure (e.g.,
power generation, transportation and telecommunications). President
Obama directed that the Framework be developed to encourage these
operators to manage cybersecurity risks with as much rigour as they
manage financial, safety and operational risks. This is a
recurrent theme in recent thinking about cybersecurity.
Overview of the Preliminary Cybersecurity
The Framework leverages many existing industry standards and is
designed to complement, rather than replace, an organization's
existing practices. It is a risk-based approach that
comprises three essential components:
1) The Framework
Core consists of five functions (identify, protect,
detect, respond and recover), which are then subdivided into
categories and subcategories. Each subcategory refers to
industry standards, guidelines and best practices that
organizations can adhere to.
2) The Framework
Profile is a tool used to help organizations reduce
cybersecurity risk. An organization is expected to create a
"Current Profile" of its cybersecurity risk, which is
compared against its desired "Target Profile". The
gaps between the two profiles indicate areas for improvement.
3) The Framework
Implementation Tiers describe the sophistication of an
organization's risk-management practices. The classification
regime ranges from Tier 1(Partial) to Tier 4 (Adaptive) – the
higher the tier number, the more mature an organization's
cybersecurity risk-management practices are.
The Framework in Practice
Applying the essential components
mentioned above, the Framework recommends the following steps for
creating or improving a cybersecurity program:
Step 1: Identify the organization's
objectives, assets, regulatory requirements and overall risk
Step 2: Create a Current Profile of the
organization's cybersecurity risk using the Framework Core.
Step 3: Conduct a risk assessment of the
organization's cybersecurity risks.
Step 4: Create a Target Profile of the
organization's cybersecurity risk.
Step 5: Determine, analyze and prioritize the
gaps that exist between the Current Profile and the Target
Step 6: Implement an action plan to minimize or
eliminate the gaps between the Current Profile and the desired
On October 29, NIST commenced the start of a 45-day public
comment period on its Framework. After the collection and analysis
of public feedback, NIST plans to release the official Framework in
February 2014. The Framework is part of, and should be considered
in the context of, a heightened and broad response to cybersecurity
for businesses, industry and regulatory bodies. This topic should
be on every enterprise's radar.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).