After Healthcare.gov debacle, group pushes for tests of NIST cybersecurity framework
More needs to be done to identify what adoption of framework really means, ISA says
Computerworld - The Internet Security Alliance, a multi-sector trade association, wants to know what adoption of a new cybersecurity framework will entail for companies in critical infrastructure industries.
In a proposal pitched to the Department of Homeland Security and sector specific agencies, the ISA this week called for beta tests on the National Institute of Standards and Technology's framework to identify the cost-effectiveness of adopting the controls it recommends.
""We have already seen the results of not doing enough testing before launching a major program with Healthcare.gov," said Larry Clinton, president and CEO of the ISA. "Similarly, the cybersecurity framework needs to be tested just as the private sector would do with any major product or service before it was rolled," he said in a statement
The framework is a core component of President Obama's Cybersecurity Executive Order issued in February. It is designed to serve as a security best practices guide for companies in critical industries, including telecommunications, financial services and energy.
The framework offers specific guidance on how companies can identify assets that need to be protected, the controls and the standards that they can use to achieve that goal and measures they can take to detect, respond and recover from a cyberattack.
The framework, which was developed with extensive input from industry stakeholders, is not a standard by itself but more of an information resource that companies can use to identify and close gaps in their security. It is also designed to help companies evaluate their security posture and move them toward specific security goals.
The NIST released a draft version of the framework in October and is scheduled to release a final version in February.
Critical infrastructure companies are not required to follow the advice in the framework. But many expect that once the framework is released, it will become a de facto best practices guide for information security in critical sectors. Some legal experts have warned that companies that don't have the security controls referenced in the framework could find themselves exposed to liability issues in the event of a breach.
The government has said it will consider offering incentives to get companies to adopt the security measures recommended in the framework.
The big issue is that there is little to no clarity on what "adopting" the framework means, Clinton said in an interview with Computerworld on Friday.
"The government is saying that adopting the framework will get you this incentive. But first you've got to know what you have to do in order to get the incentives," he said. "We are going to have to get some clarity on what it means to adopt the framework," he continued. "Does it depend on the sector, do you have to adopt everything? These are issues we need to wrestle to the ground," before NIST rolls out the framework next year, he said.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts