Demystifying NIST – Part 2 – Implementation

During my last blog post on NIST, I discussed the impact the framework will have on business, specific industries and critical infrastructure. Let's now discuss how businesses can it use to drive business processes.

Through the introduction of the framework, an organization will have:

• A way to communicate the security program in terms of business drivers, which will yield better funding opportunities.
• A standard method for evaluation and discussion on appropriateness of a security program. This documented strategy lets us transition from a sporadically funded security program to a discussion of trade-offs, based on risk.
• A philosophy that enforces the journey of security and threat mitigation lifecycles.
• Achievement of strategic program development and investments.
• Scalable programs that provide mechanisms to manage today's threats and tomorrow's challenges.

Through implementation, the framework:

• Will most likely be used to argue security negligence. It will set a precedence from a legal perspective as to why wouldn't a business use a set of best practices designed to prevent advanced attacks.
• Will most likely be the center for "reasonable" security given its origin (both public and private sector collaboration).
• Sets a precedent for "due diligence" in a contractual context, where organizations will only conduct business with partners/vendors that implement the framework.
• Will potentially negatively affect insurance premiums, if not implemented.

Q. Are there any government sponsored services to help business successfully use the framework?

The Department of Human Services (DHS) created the C³ Voluntary Program to assist and support those that are implementing the framework. The program will serve as a point of contact and resource to assist organizations with framework use and public and private sector assistance and guidance.

Q. How do businesses transform the topic of security from a technology issue to a business issue?

The general spirit of the framework is focused on utilizing business drivers to guide cybersecurity activities. These activities, in turn, become part of your organization's threat and business risk management processes and strategies.

The framework emphasizes that security is a journey, requiring continuous improvement and an emphasis on security as a business process. It requires ongoing optimization in a quest to yield progressively better results. The framework positions itself to assess and create security discussions on:

1. How to organize a risk mitigation conversation
2. Measuring and mitigating risk in your organization
3. Applying a remediation plan and how to communicate that plan

Q. How does a business move from classification to data sensitivity?

Data classification is built out of a compliance framework and requires a long drawn out discovery process that's only effective for a point in time. This process requires a business to store things everywhere and it's never finished.

The NIST framework gives a process for moving from classification to data sensitivity by putting a laser focus on high-value information assets. Organizations need to move away from storing and classifying to a system that provides visibility into what data you have, what's most important and who has access to it. The framework changes the old paradigm of making check lists to having a better understanding of the crown jewels.

Here are a few recommendations for achieving data sensitivity:

1. Gain visibility into systems and end user populations.
2. Decide what data is important to you, such as social security numbers, and then identify what groups are using the information.
3. Have visibility into how employees are using the information and where it's going. Also, understand how are they sharing the information and through what systems.
4. Put controls around the data that is most important to your organization.